Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-58097

Publication date:

16/04/2025

In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix RCU stall while reaping monitor destination ring While processing the monitor destination ring, MSDUs are reaped from the link descriptor based on the corresponding buf_id. However, sometimes the driver cannot obtain a valid buffer corresponding to the buf_id received from the hardware. This causes an infinite loop in the destination processing, resulting in a kernel crash. kernel log: ath11k_pci 0000:58:00.0: data msdu_pop: invalid buf_id 309 ath11k_pci 0000:58:00.0: data dp_rx_monitor_link_desc_return failed ath11k_pci 0000:58:00.0: data msdu_pop: invalid buf_id 309 ath11k_pci 0000:58:00.0: data dp_rx_monitor_link_desc_return failed Fix this by skipping the problematic buf_id and reaping the next entry, replacing the break with the next MSDU processing. Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30 Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1

Severity CVSS v4.0: Pending analysis

Last modification:

06/04/2026

CVE-2024-58093

Publication date:

16/04/2025

In the Linux kernel, the following vulnerability has been resolved: PCI/ASPM: Fix link state exit during switch upstream function removal Before 456d8aa37d0f ("PCI/ASPM: Disable ASPM on MFD function removal to avoid use-after-free"), we would free the ASPM link only after the last function on the bus pertaining to the given link was removed. That was too late. If function 0 is removed before sibling function, link->downstream would point to free&#39;d memory after. After above change, we freed the ASPM parent link state upon any function removal on the bus pertaining to a given link. That is too early. If the link is to a PCIe switch with MFD on the upstream port, then removing functions other than 0 first would free a link which still remains parent_link to the remaining downstream ports. The resulting GPFs are especially frequent during hot-unplug, because pciehp removes devices on the link bus in reverse order. On that switch, function 0 is the virtual P2P bridge to the internal bus. Free exactly when function 0 is removed -- before the parent link is obsolete, but after all subordinate links are gone. [kwilczynski: commit log]

Severity CVSS v4.0: Pending analysis

Last modification:

28/10/2025

CVE-2023-53034

Publication date:

16/04/2025

In the Linux kernel, the following vulnerability has been resolved: ntb_hw_switchtec: Fix shift-out-of-bounds in switchtec_ntb_mw_set_trans There is a kernel API ntb_mw_clear_trans() would pass 0 to both addr and size. This would make xlate_pos negative. [ 23.734156] switchtec switchtec0: MW 0: part 0 addr 0x0000000000000000 size 0x0000000000000000 [ 23.734158] ================================================================================ [ 23.734172] UBSAN: shift-out-of-bounds in drivers/ntb/hw/mscc/ntb_hw_switchtec.c:293:7 [ 23.734418] shift exponent -1 is negative Ensuring xlate_pos is a positive or zero before BIT.

Severity CVSS v4.0: Pending analysis

Last modification:

03/11/2025

CVE-2025-3692

Publication date:

16/04/2025

A vulnerability was found in SourceCodester Online Eyewear Shop 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /oews/classes/Master.php?f=save_product. The manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Severity CVSS v4.0: MEDIUM

Last modification:

29/04/2025

CVE-2025-3693

Publication date:

16/04/2025

A vulnerability was found in Tenda W12 3.0.0.5. It has been rated as critical. Affected by this issue is the function cgiWifiRadioSet of the file /bin/httpd. The manipulation leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Severity CVSS v4.0: HIGH

Last modification:

16/07/2025

CVE-2024-58248

Publication date:

16/04/2025

nopCommerce through 4.90.1 does not offer locking for order placement. Thus there is a race condition with duplicate redeeming of gift cards.

Severity CVSS v4.0: Pending analysis

Last modification:

19/12/2025

CVE-2025-3689

Publication date:

16/04/2025

A vulnerability has been found in PHPGurukul Men Salon Management System 1.0 and classified as critical. This vulnerability affects unknown code of the file /admin/edit-customer-detailed.php. The manipulation of the argument editid leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Severity CVSS v4.0: MEDIUM

Last modification:

28/05/2025

CVE-2025-3690

Publication date:

16/04/2025

A vulnerability was found in PHPGurukul Men Salon Management System 1.0 and classified as critical. This issue affects some unknown processing of the file /admin/edit-services.php. The manipulation of the argument cost leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Severity CVSS v4.0: MEDIUM

Last modification:

24/04/2025

CVE-2025-3691

Publication date:

16/04/2025

A vulnerability was found in mirweiye Seven Bears Library CMS 2023. It has been classified as problematic. Affected is an unknown function of the component Add Link Handler. The manipulation leads to server-side request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Severity CVSS v4.0: MEDIUM

Last modification:

24/04/2025

CVE-2025-39593

Publication date:

16/04/2025

Cross-Site Request Forgery (CSRF) vulnerability in EverAccounting Ever Accounting wp-ever-accounting allows Cross Site Request Forgery.This issue affects Ever Accounting: from n/a through

Severity CVSS v4.0: Pending analysis

Last modification:

23/04/2026

CVE-2025-39597

Publication date:

16/04/2025

URL Redirection to Untrusted Site (&#39;Open Redirect&#39;) vulnerability in Arthur Yarwood Fast eBay Listings fast-ebay-listings allows Phishing.This issue affects Fast eBay Listings: from n/a through

Severity CVSS v4.0: Pending analysis

Last modification:

23/04/2026

CVE-2025-39598

Publication date:

16/04/2025

Path Traversal: &#39;.../...//&#39; vulnerability in Quý Lê 91 Administrator Z administrator-z allows Path Traversal.This issue affects Administrator Z: from n/a through

Severity CVSS v4.0: Pending analysis

Last modification:

23/04/2026

Subscribe to Vulnerabilities