Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-53549

Publication date:
10/07/2025
The Matrix Rust SDK is a collection of libraries that make it easier to build Matrix clients in Rust. An SQL injection vulnerability in the EventCache::find_event_with_relations method of matrix-sdk 0.11 and 0.12 allows malicious room members to execute arbitrary SQL commands in Matrix clients that directly pass relation types provided by those room members into this method, when used with the default sqlite-based store backend. Exploitation is unlikely, as no known clients currently use the API in this manner. This vulnerability is fixed in 0.13.
Severity CVSS v4.0: MEDIUM
Last modification:
15/07/2025

CVE-2025-53625

Publication date:
10/07/2025
The DynamicPageList3 extension is a reporting tool for MediaWiki, listing category members and intersections with various formats and details. Several #dpl parameters can leak usernames that have been hidden using revision deletion, suppression, or the hideuser block flag. The vulnerability is fixed in 3.6.4.
Severity CVSS v4.0: HIGH
Last modification:
15/07/2025

CVE-2025-52434

Publication date:
10/07/2025
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Tomcat when using the APR/Native connector. This was particularly noticeable with client initiated closes of HTTP/2 connections. This issue affects Apache Tomcat: from 9.0.0.M1 through 9.0.106. Users are recommended to upgrade to version 9.0.107, which fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2025

CVE-2025-52473

Publication date:
10/07/2025
liboqs is a C-language cryptographic library that provides implementations of post-quantum cryptography algorithms. Multiple secret-dependent branches have been identified in the reference implementation of the HQC key encapsulation mechanism when it is compiled with Clang for optimization levels above -O0 (-O1, -O2, etc). A proof-of-concept local attack exploits this secret-dependent information to recover the entire secret key. This vulnerability is fixed in 0.14.0.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2025

CVE-2025-52520

Publication date:
10/07/2025
For some unlikely configurations of multipart upload, an Integer Overflow vulnerability in Apache Tomcat could lead to a DoS via bypassing of size limits. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2025

CVE-2025-52521

Publication date:
10/07/2025
Trend Micro Security 17.8 (Consumer) is vulnerable to a link following local privilege escalation vulnerability that could allow a local attacker to unintentionally delete privileged Trend Micro files including its own.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2025

CVE-2025-52837

Publication date:
10/07/2025
Trend Micro Password Manager (Consumer) version 5.8.0.1327 and below is vulnerable to a Link Following Privilege Escalation Vulnerability that could allow an attacker the opportunity to abuse symbolic links and other methods to delete any file/folder and achieve privilege escalation.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2025

CVE-2025-28244

Publication date:
10/07/2025
Insecure Permissions vulnerability in the Local Storage in Alteryx Server 2023.1.1.460 allows remote attackers to obtain valid user session tokens from localStorage, leading to account takeover
Severity CVSS v4.0: Pending analysis
Last modification:
17/07/2025

CVE-2025-28245

Publication date:
10/07/2025
Cross-site scripting (XSS) vulnerability in Alteryx Server 2023.1.1.460 allows remote attackers to inject arbitrary web script or HTML via the notification body.
Severity CVSS v4.0: Pending analysis
Last modification:
17/07/2025

CVE-2025-28243

Publication date:
10/07/2025
An issue in Alteryx Server v.2023.1.1.460 allows HTML injection via a crafted script to the pages component.
Severity CVSS v4.0: Pending analysis
Last modification:
17/07/2025

CVE-2025-53371

Publication date:
10/07/2025
DiscordNotifications is an extension for MediaWiki that sends notifications of actions in your Wiki to a Discord channel. DiscordNotifications allows sending requests via curl and file_get_contents to arbitrary URLs set via $wgDiscordIncomingWebhookUrl and $wgDiscordAdditionalIncomingWebhookUrls. This allows for DOS by causing the server to read large files. SSRF is also possible if there are internal unprotected APIs that can be accessed using HTTP POST requests, which could also possibly lead to RCE. This vulnerability is fixed in commit 1f20d850cbcce5b15951c7c6127b87b927a5415e.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2025

CVE-2025-49630

Publication date:
10/07/2025
In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untrusted clients causing an assertion in mod_proxy_http2. Configurations affected are a reverse proxy is configured for an HTTP/2 backend, with ProxyPreserveHost set to "on".
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2025