Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-25946
Publication date:
19/02/2025
An issue in Bento4 v1.6.0-641 allows an attacker to cause a memory leak via Ap4Marlin.cpp and Ap4Processor.cpp, specifically in AP4_MarlinIpmpEncryptingProcessor::Initialize and AP4_Processor::Process, during the execution of mp4encrypt with a specially crafted MP4 input file.
Severity CVSS v4.0: Pending analysis
Last modification:
09/06/2025

CVE-2025-25947
Publication date:
19/02/2025
An issue in Bento4 v1.6.0-641 allows an attacker to trigger a segmentation fault via Ap4Atom.cpp, specifically in AP4_AtomParent::RemoveChild, during the execution of mp4encrypt with a specially crafted MP4 input file.
Severity CVSS v4.0: Pending analysis
Last modification:
13/05/2025

CVE-2025-27092
Publication date:
19/02/2025
GHOSTS is an open source user simulation framework for cyber experimentation, simulation, training, and exercise. A path traversal vulnerability was discovered in GHOSTS version 8.0.0.0 that allows an attacker to access files outside of the intended directory through the photo retrieval endpoint. The vulnerability exists in the /api/npcs/{id}/photo endpoint, which is designed to serve profile photos for NPCs (Non-Player Characters) but fails to properly validate and sanitize file paths. When an NPC is created with a specially crafted photoLink value containing path traversal sequences (../, ..\, etc.), the application processes these sequences without proper sanitization. This allows an attacker to traverse directory structures and access files outside of the intended photo directory, potentially exposing sensitive system files. The vulnerability is particularly severe because it allows reading arbitrary files from the server's filesystem with the permissions of the web application process, which could include configuration files, credentials, or other sensitive data. This issue has been addressed in version 8.2.7.90 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity CVSS v4.0: HIGH
Last modification:
27/02/2025

CVE-2025-21355
Publication date:
19/02/2025
Missing Authentication for Critical Function in Microsoft Bing allows an unauthorized attacker to execute code over a network
Severity CVSS v4.0: Pending analysis
Last modification:
05/03/2025

CVE-2024-10339
Publication date:
19/02/2025
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Severity CVSS v4.0: Pending analysis
Last modification:
19/02/2025

CVE-2024-37359
Publication date:
19/02/2025
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. (CWE-918) <br /> <br /> <br /> <br />  <br /> <br /> <br /> <br /> Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, do not validate the Host header of incoming HTTP/HTTPS requests.<br /> <br /> <br /> <br />  <br /> <br /> <br /> <br /> By providing URLs to unexpected hosts or ports, attackers can make it appear that the server is sending the request, possibly bypassing access controls such as firewalls that prevent the attackers from accessing the URLs directly. The server can be used as a proxy to conduct port scanning of hosts in internal networks, use other URLs such as that can access documents on the system (using file://), or use other protocols such as gopher:// or tftp://, which may provide greater control over the contents of requests.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2024-37360
Publication date:
19/02/2025
Hitachi Vantara Pentaho Business Analytics Server - Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) <br /> <br /> <br /> <br />  <br /> <br /> <br /> <br /> The software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a web page that is served to other users. (CWE-79)<br /> <br /> <br /> <br />  <br /> <br /> <br /> <br /> Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.2.0.0 and 9.3.0.9, including 8.3.x, allow a malicious URL to inject content into the Analyzer plugin interface.<br /> <br /> <br /> <br />  <br /> <br /> <br /> <br /> <br /> Once the malicious script is injected, the attacker can perform a variety of malicious activities. The attacker could transfer private information, such as cookies that may include session information, from the victim&amp;#39;s machine to the attacker. The attacker could send malicious requests to a web site on behalf of the victim, which could be especially dangerous to the site if the victim has administrator privileges to manage that site.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2024-5705
Publication date:
19/02/2025
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions. (CWE-863) <br /> <br /> <br /> <br />  <br /> <br /> <br /> <br />  <br /> <br /> <br /> <br /> Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, have modules enabled by default that allow execution of system level processes. <br /> <br /> <br /> <br />  <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> When access control checks are incorrectly applied, users can access data or perform actions that they should not be allowed to perform. This can lead to a wide range of problems, including information exposures and denial of service.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2024-5706
Publication date:
19/02/2025
The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control. (CWE-99) <br /> <br /> <br /> <br /> <br /> <br /> <br /> Hitachi Vantara Pentaho Data Integration &amp; Analytics versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, do not restrict JNDI identifiers during the creation of Community Dashboards, allowing control of system-level data sources. <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> An attacker could gain access to or modify sensitive data or system resources. This could allow access to protected files or directories including configuration files and files containing sensitive information, which can lead to remote code execution by unauthorized users.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2023-51305
Publication date:
19/02/2025
PHPJabbers Car Park Booking System v3.0 is vulnerable to Multiple Stored Cross-Site Scripting (XSS) in the "name, plugin_sms_api_key, plugin_sms_country_code, title, plugin_sms_api_key" parameters.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-27090
Publication date:
19/02/2025
Sliver is an open source cross-platform adversary emulation/red team framework, it can be used by organizations of all sizes to perform security testing. The reverse port forwarding in sliver teamserver allows the implant to open a reverse tunnel on the sliver teamserver without verifying if the operator instructed the implant to do so. The only impact that has been shown is the exposure of the server&amp;#39;s IP address to a third party. This issue has been addressed in version 1.5.43 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity CVSS v4.0: MEDIUM
Last modification:
27/02/2025

CVE-2023-51303
Publication date:
19/02/2025
PHPJabbers Event Ticketing System v1.0 is vulnerable to Multiple HTML Injection in the "lid, name, plugin_sms_api_key, plugin_sms_country_code, title, plugin_sms_api_key, title" parameters.
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2025
Subscribe to Vulnerabilities