Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-62724
Publication date:
20/11/2025
Open OnDemand is an open-source HPC portal. Prior to versions 4.0.8 and 3.1.16, users can craft a "Time of Check to Time of Use" (TOCTOU) attack when downloading zip files to access files outside of the OOD_ALLOWLIST. This vulnerability impacts sites that use the file browser allowlists in all current versions of OOD. However, files accessed are still protected by the UNIX permissions. Open OnDemand versions 4.0.8 and 3.1.16 have been patched for this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
20/11/2025

CVE-2025-52410
Publication date:
20/11/2025
Institute-of-Current-Students v1.0 contains a time-based blind SQL injection vulnerability in the mydetailsstudent.php endpoint. The `myds` GET parameter is not adequately sanitized before being used in SQL queries.
Severity CVSS v4.0: Pending analysis
Last modification:
20/11/2025

CVE-2025-13437
Publication date:
20/11/2025
When zx is invoked with --prefer-local=, the CLI creates a symlink named ./node_modules pointing to /node_modules. Due to a logic error in src/cli.ts (linkNodeModules / cleanup), the function returns the target path instead of the alias (symlink path). The later cleanup routine removes what it received, which deletes the target directory itself. Result: zx can delete an external /node_modules outside the current working directory.
Severity CVSS v4.0: MEDIUM
Last modification:
20/11/2025

CVE-2025-12120
Publication date:
20/11/2025
Lite XL versions 2.1.8 and prior automatically execute the .lite_project.lua file when opening a project directory, without prompting the user for confirmation. The .lite_project.lua file is intended for project-specific configuration but can contain executable Lua logic. This behavior could allow execution of untrusted Lua code if a user opens a malicious project, potentially leading to arbitrary code execution with the privileges of the Lite XL process.
Severity CVSS v4.0: Pending analysis
Last modification:
20/11/2025

CVE-2025-12121
Publication date:
20/11/2025
Lite XL versions 2.1.8 and prior contain a vulnerability in the system.exec function, which allowed arbitrary command execution through unsanitized shell command construction. This function was used in project directory launching (core.lua), drag-and-drop file handling (rootview.lua), and the “open in system” command in the treeview plugin (treeview.lua). If an attacker could influence input to system.exec, they might execute arbitrary commands with the privileges of the Lite XL process.
Severity CVSS v4.0: Pending analysis
Last modification:
20/11/2025

CVE-2025-62730
Publication date:
20/11/2025
SOPlanning is vulnerable to Privilege Escalation in user management tab. Users with user_manage_team role are allowed to modify permissions of users. However, they are able to assign administrative permissions to any user including themselves. This allow a malicious authenticated attacker with this role to escalate to admin privileges. This issue affects both Bulk Update functionality and regular edition of user&amp;#39;s right and privileges.<br /> <br /> This issue was fixed in version 1.55.
Severity CVSS v4.0: HIGH
Last modification:
20/11/2025

CVE-2025-62731
Publication date:
20/11/2025
SOPlanning is vulnerable to Stored XSS in /feries endpoint. Malicious attacker with access to public holidays feature is able to inject arbitrary HTML and JS into website, which will be rendered/executed when opening multiple pages. By default only administrators and users with special privileges are able to access this endpoint.<br /> <br /> This issue was fixed in version 1.55.
Severity CVSS v4.0: MEDIUM
Last modification:
20/11/2025

CVE-2025-62875
Publication date:
20/11/2025
An Improper Check for Unusual or Exceptional Conditions vulnerability in OpenSMTPD allows local users to crash OpenSMTPD.<br /> <br /> <br /> <br /> <br /> This issue affects openSUSE Tumbleweed: from ? before 7.8.0p0-1.1.
Severity CVSS v4.0: MEDIUM
Last modification:
20/11/2025

CVE-2025-62293
Publication date:
20/11/2025
SOPlanning is vulnerable to Broken Access Control in /status endpoint. Due to lack of permission checks in Project Status functionality an authenticated attacker is able to add, edit and delete any status.<br /> <br /> <br /> This issue was fixed in version 1.55.
Severity CVSS v4.0: MEDIUM
Last modification:
20/11/2025

CVE-2025-62294
Publication date:
20/11/2025
SOPlanning is vulnerable to Predictable Generation of Password Recovery Token. Due to weak mechanism of generating recovery tokens, a malicious attacker is able to brute-force all possible values and takeover any account in reasonable amount of time.<br /> <br /> This issue was fixed in version 1.55.
Severity CVSS v4.0: HIGH
Last modification:
20/11/2025

CVE-2025-62295
Publication date:
20/11/2025
SOPlanning is vulnerable to Stored XSS in /groupe_form endpoint. Malicious attacker with medium privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when opening editor.<br /> <br /> This issue was fixed in version 1.55.
Severity CVSS v4.0: MEDIUM
Last modification:
20/11/2025

CVE-2025-62296
Publication date:
20/11/2025
SOPlanning is vulnerable to Stored XSS in /taches endpoint. Malicious attacker with medium privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when opening editor.<br /> <br /> This issue was fixed in version 1.55.
Severity CVSS v4.0: MEDIUM
Last modification:
20/11/2025
Subscribe to Vulnerabilities