Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-1432

Publication date:

03/02/2026

SQL injection vulnerability in the Buroweb platform version 2505.0.12, specifically in the &#39;tablon&#39; component. This vulnerability is present in several parameters that do not correctly sanitize user input in the endpoint &#39;/sta/CarpetaPublic/doEvent?APP_CODE=STA&PAGE_CODE=TABLON&#39;. Exploiting this vulnerability could allow an attacker to execute queries on the database and gain access to confidential information.

Severity CVSS v4.0: CRITICAL

Last modification:

03/02/2026

CVE-2026-1664

Publication date:

03/02/2026

Summary An Insecure Direct Object Reference has been found to exist in `createHeaderBasedEmailResolver()` function within the Cloudflare Agents SDK. The issue occurs because the `Message-ID` and `References` headers are parsed to derive the target agentName and agentId without proper validation or origin checks, allowing an external attacker with control of these headers to route inbound mail to arbitrary Durable Object instances and namespaces . Root cause The `createHeaderBasedEmailResolver()` function lacks cryptographic verification or origin validation for the headers used in the routing logic, effectively allowing external input to dictate internal object routing. Impact Insecure Direct Object Reference (IDOR) in email routing lets an attacker steer inbound mail to arbitrary Agent instances via spoofed Message-ID. Mitigation: * PR: https://github.com/cloudflare/agents/blob/main/docs/email.md ] provides the necessary architectural context for coding agents to mitigate the issue by refactoring the resolver to enforce strict identity boundaries. * Agents-sdk users should upgrade to agents@0.3.7

Severity CVSS v4.0: MEDIUM

Last modification:

03/02/2026

CVE-2025-67857

Publication date:

03/02/2026

A flaw was found in moodle. During anonymous assignment submissions, user identifiers were inadvertently exposed in URLs. This data exposure allows unauthorized viewers to see internal user IDs, compromising the intended anonymity and potentially leading to information disclosure.

Severity CVSS v4.0: Pending analysis

Last modification:

03/02/2026

CVE-2025-67849

Publication date:

03/02/2026

A flaw was found in Moodle. This cross-site scripting (XSS) vulnerability, caused by improper sanitization of AI prompt responses, allows attackers to inject malicious HTML or script into web pages. When other users view these compromised pages, their sessions could be stolen, or the user interface could be manipulated.

Severity CVSS v4.0: Pending analysis

Last modification:

03/02/2026

CVE-2025-67850

Publication date:

03/02/2026

A flaw was found in moodle. This vulnerability, known as Cross-Site Scripting (XSS), occurs due to insufficient checks on user-provided data in the formula editor&#39;s arithmetic expression fields. A remote attacker could inject malicious code into these fields. When other users view these expressions, the malicious code would execute in their web browsers, potentially compromising their data or leading to unauthorized actions.

Severity CVSS v4.0: Pending analysis

Last modification:

03/02/2026

CVE-2025-67851

Publication date:

03/02/2026

A flaw was found in moodle. This formula injection vulnerability occurs when data fields are exported without proper escaping. A remote attacker could exploit this by providing malicious data that, when exported and opened in a spreadsheet, allows arbitrary formulas to execute. This can lead to compromised data integrity and unintended operations within the spreadsheet.

Severity CVSS v4.0: Pending analysis

Last modification:

03/02/2026

CVE-2025-67852

Publication date:

03/02/2026

A flaw was found in Moodle. An open redirect vulnerability in the OAuth login flow allows a remote attacker to redirect users to attacker-controlled pages after they have successfully authenticated. This occurs due to insufficient validation of redirect parameters, which could lead to phishing attacks or information disclosure.

Severity CVSS v4.0: Pending analysis

Last modification:

03/02/2026

CVE-2025-67853

Publication date:

03/02/2026

A flaw was found in Moodle. A remote attacker could exploit a lack of proper rate limiting in the confirmation email service. This vulnerability allows attackers to more easily enumerate or guess user credentials, facilitating brute-force attacks against user accounts.

Severity CVSS v4.0: Pending analysis

Last modification:

03/02/2026

CVE-2025-67855

Publication date:

03/02/2026

A flaw was found in mooodle. A remote attacker could exploit a reflected Cross-Site Scripting (XSS) vulnerability in the policy tool return URL. This vulnerability arises from insufficient sanitization of URL parameters, allowing attackers to inject malicious scripts through specially crafted links. Successful exploitation could lead to information disclosure or arbitrary client-side script execution within the user&#39;s browser.

Severity CVSS v4.0: Pending analysis

Last modification:

03/02/2026

CVE-2025-67856

Publication date:

03/02/2026

A flaw was found in Moodle. An authorization logic flaw, specifically due to incomplete role checks during the badge awarding process, allowed badges to be granted without proper verification. This could enable unauthorized users to obtain badges they are not entitled to, potentially leading to privilege escalation or unauthorized access to certain features.

Severity CVSS v4.0: Pending analysis

Last modification:

03/02/2026

CVE-2025-67848

Publication date:

03/02/2026

A flaw was found in Moodle. This authentication bypass vulnerability allows suspended users to authenticate through the Learning Tools Interoperability (LTI) Provider. The issue arises from the LTI authentication handlers failing to enforce the user&#39;s suspension status, enabling unauthorized access to the system. This can lead to information disclosure or other unauthorized actions by users who should be restricted.

Severity CVSS v4.0: Pending analysis

Last modification:

03/02/2026

CVE-2025-59902

Publication date:

03/02/2026

HTML injection vulnerability in NICE Chat. This vulnerability allows an attacker to inject and render arbitrary HTML content in email transcripts by modifying the &#39;firstName&#39; and &#39;lastName&#39; parameters during a chat session. The injected HTML is included in the body of the email sent by the system, which could enable phishing attacks, impersonation, or credential theft.

Severity CVSS v4.0: HIGH

Last modification:

03/02/2026

Subscribe to Vulnerabilities