Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-59686
Publication date:
01/10/2025
Kazaar 1.25.12 allows /api/v1/org-id/orders/order-id/documents calls with a modified order-id.
Severity CVSS v4.0: Pending analysis
Last modification:
28/10/2025

CVE-2025-59687
Publication date:
01/10/2025
IMPAQTR Aurora before 1.36 allows Insecure Direct Object Reference attacks against the users list, organization details, bookmarks, and notifications of an arbitrary organization.
Severity CVSS v4.0: Pending analysis
Last modification:
21/10/2025

CVE-2025-57275
Publication date:
01/10/2025
Storage Performance Development Kit (SPDK) 25.05 is vulnerable to Buffer Overflow in the NVMe-oF target component in SPDK - lib/nvmf.
Severity CVSS v4.0: Pending analysis
Last modification:
21/10/2025

CVE-2025-59684
Publication date:
01/10/2025
DigiSign DigiSigner ONE 1.0.4.60 allows DLL Hijacking.
Severity CVSS v4.0: Pending analysis
Last modification:
08/10/2025

CVE-2025-52040
Publication date:
01/10/2025
In Frappe ERPNext 15.57.5, the function get_blanket_orders() at erpnext/controllers/queries.py is vulnerable to SQL Injection, which allows an attacker can extract all information from databases by injecting a SQL query into the blanket_order_type parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
03/10/2025

CVE-2025-52041
Publication date:
01/10/2025
In Frappe ERPNext 15.57.5, the function get_stock_balance_for() at erpnext/stock/doctype/stock_reconciliation/stock_reconciliation.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting a SQL query into the inventory_dimensions_dict parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
03/10/2025

CVE-2025-52042
Publication date:
01/10/2025
In Frappe ERPNext 15.57.5, the function get_rfq_containing_supplier() at erpnext/buying/doctype/request_for_quotation/request_for_quotation.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting SQL query via the txt parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
03/10/2025

CVE-2025-52039
Publication date:
01/10/2025
In Frappe ERPNext 15.57.5, the function get_material_requests_based_on_supplier() at erpnext/stock/doctype/material_request/material_request.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting a SQL query into the txt parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
03/10/2025

CVE-2025-41421
Publication date:
01/10/2025
Improper handling of symbolic links in the TeamViewer Full Client and Host for Windows — in versions prior to 15.70 of TeamViewer Remote and Tensor — allows an attacker with local, unprivileged access to a device lacking adequate malware protection to escalate privileges by spoofing the update file path. This may result in unauthorized access to sensitive information.
Severity CVSS v4.0: Pending analysis
Last modification:
02/10/2025

CVE-2025-40647
Publication date:
01/10/2025
Stored Cross-Site Scripting (XSS) vulnerability in Issabel v5.0.0, consisting of a stored XSS due to a lack of proper validation of user input, through the 'email' parameter in '/index.php?menu=address_book'.
Severity CVSS v4.0: MEDIUM
Last modification:
02/10/2025

CVE-2025-40648
Publication date:
01/10/2025
Stored Cross-Site Scripting (XSS) vulnerability in Issabel v5.0.0, consisting of a stored XSS due to a lack of proper validation of user input, through the 'numero_conferencia' parameter in '/index.php?menu=conferencia'.
Severity CVSS v4.0: MEDIUM
Last modification:
02/10/2025

CVE-2023-53525
Publication date:
01/10/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/cma: Allow UD qp_type to join multicast only<br /> <br /> As for multicast:<br /> - The SIDR is the only mode that makes sense;<br /> - Besides PS_UDP, other port spaces like PS_IB is also allowed, as it is<br /> UD compatible. In this case qkey also needs to be set [1].<br /> <br /> This patch allows only UD qp_type to join multicast, and set qkey to<br /> default if it&amp;#39;s not set, to fix an uninit-value error: the ib-&gt;rec.qkey<br /> field is accessed without being initialized.<br /> <br /> =====================================================<br /> BUG: KMSAN: uninit-value in cma_set_qkey drivers/infiniband/core/cma.c:510 [inline]<br /> BUG: KMSAN: uninit-value in cma_make_mc_event+0xb73/0xe00 drivers/infiniband/core/cma.c:4570<br /> cma_set_qkey drivers/infiniband/core/cma.c:510 [inline]<br /> cma_make_mc_event+0xb73/0xe00 drivers/infiniband/core/cma.c:4570<br /> cma_iboe_join_multicast drivers/infiniband/core/cma.c:4782 [inline]<br /> rdma_join_multicast+0x2b83/0x30a0 drivers/infiniband/core/cma.c:4814<br /> ucma_process_join+0xa76/0xf60 drivers/infiniband/core/ucma.c:1479<br /> ucma_join_multicast+0x1e3/0x250 drivers/infiniband/core/ucma.c:1546<br /> ucma_write+0x639/0x6d0 drivers/infiniband/core/ucma.c:1732<br /> vfs_write+0x8ce/0x2030 fs/read_write.c:588<br /> ksys_write+0x28c/0x520 fs/read_write.c:643<br /> __do_sys_write fs/read_write.c:655 [inline]<br /> __se_sys_write fs/read_write.c:652 [inline]<br /> __ia32_sys_write+0xdb/0x120 fs/read_write.c:652<br /> do_syscall_32_irqs_on arch/x86/entry/common.c:114 [inline]<br /> __do_fast_syscall_32+0x96/0xf0 arch/x86/entry/common.c:180<br /> do_fast_syscall_32+0x34/0x70 arch/x86/entry/common.c:205<br /> do_SYSENTER_32+0x1b/0x20 arch/x86/entry/common.c:248<br /> entry_SYSENTER_compat_after_hwframe+0x4d/0x5c<br /> <br /> Local variable ib.i created at:<br /> cma_iboe_join_multicast drivers/infiniband/core/cma.c:4737 [inline]<br /> rdma_join_multicast+0x586/0x30a0 drivers/infiniband/core/cma.c:4814<br /> ucma_process_join+0xa76/0xf60 drivers/infiniband/core/ucma.c:1479<br /> <br /> CPU: 0 PID: 29874 Comm: syz-executor.3 Not tainted 5.16.0-rc3-syzkaller #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011<br /> =====================================================<br /> <br /> [1] https://lore.kernel.org/linux-rdma/20220117183832.GD84788@nvidia.com/
Severity CVSS v4.0: Pending analysis
Last modification:
02/10/2025
Subscribe to Vulnerabilities