Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-45647

Publication date:
20/01/2025
IBM Security Verify Access 10.0.0 through 10.0.8 and IBM Security Verify Access Docker 10.0.0 through 10.0.8 could allow could an unverified user to change the password of an expired user without prior knowledge of that password.
Severity CVSS v4.0: Pending analysis
Last modification:
29/01/2025

CVE-2025-24337

Publication date:
20/01/2025
WriteFreely through 0.15.1, when MySQL is used, allows local users to discover credentials by reading config.ini.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-21655

Publication date:
20/01/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> io_uring/eventfd: ensure io_eventfd_signal() defers another RCU period<br /> <br /> io_eventfd_do_signal() is invoked from an RCU callback, but when<br /> dropping the reference to the io_ev_fd, it calls io_eventfd_free()<br /> directly if the refcount drops to zero. This isn&amp;#39;t correct, as any<br /> potential freeing of the io_ev_fd should be deferred another RCU grace<br /> period.<br /> <br /> Just call io_eventfd_put() rather than open-code the dec-and-test and<br /> free, which will correctly defer it another RCU grace period.
Severity CVSS v4.0: Pending analysis
Last modification:
14/07/2026

CVE-2024-13176

Publication date:
20/01/2025
Issue summary: A timing side-channel which could potentially allow recovering<br /> the private key exists in the ECDSA signature computation.<br /> <br /> Impact summary: A timing side-channel in ECDSA signature computations<br /> could allow recovering the private key by an attacker. However, measuring<br /> the timing would require either local access to the signing application or<br /> a very fast network connection with low latency.<br /> <br /> There is a timing signal of around 300 nanoseconds when the top word of<br /> the inverted ECDSA nonce value is zero. This can happen with significant<br /> probability only for some of the supported elliptic curves. In particular<br /> the NIST P-521 curve is affected. To be able to measure this leak, the attacker<br /> process must either be located in the same physical computer or must<br /> have a very fast network connection with low latency. For that reason<br /> the severity of this vulnerability is Low.<br /> <br /> The FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are affected by this issue.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-0479

Publication date:
20/01/2025
This vulnerability exists in the CP Plus Router due to insecure handling of cookie flags used within its web interface. A remote attacker could exploit this vulnerability by intercepting data transmissions during an HTTP session on the vulnerable system.<br /> <br /> Successful exploitation of this vulnerability could allow the attacker to obtain sensitive information and compromise the targeted system.
Severity CVSS v4.0: HIGH
Last modification:
15/04/2026

CVE-2023-52923

Publication date:
20/01/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nf_tables: adapt set backend to use GC transaction API<br /> <br /> Use the GC transaction API to replace the old and buggy gc API and the<br /> busy mark approach.<br /> <br /> No set elements are removed from async garbage collection anymore,<br /> instead the _DEAD bit is set on so the set element is not visible from<br /> lookup path anymore. Async GC enqueues transaction work that might be<br /> aborted and retried later.<br /> <br /> rbtree and pipapo set backends does not set on the _DEAD bit from the<br /> sync GC path since this runs in control plane path where mutex is held.<br /> In this case, set elements are deactivated, removed and then released<br /> via RCU callback, sync GC never fails.
Severity CVSS v4.0: Pending analysis
Last modification:
15/10/2025

CVE-2025-0590

Publication date:
20/01/2025
Improper permission settings for mobile applications (com.transsion.carlcare) may lead to <br /> <br /> information leakage risk.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-0584

Publication date:
20/01/2025
The a+HRD from aEnrich Technology has a Server-side Request Forgery, allowing unauthenticated remote attackers to exploit this vulnerability to probe internal network.
Severity CVSS v4.0: Pending analysis
Last modification:
17/11/2025

CVE-2025-0585

Publication date:
20/01/2025
The a+HRD from aEnrich Technology has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.
Severity CVSS v4.0: Pending analysis
Last modification:
17/11/2025

CVE-2025-0586

Publication date:
20/01/2025
The a+HRD from aEnrich Technology has an Insecure Deserialization vulnerability, allowing remote attackers with database modification privileges and regular system privileges to perform arbitrary code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
17/11/2025

CVE-2024-13524

Publication date:
20/01/2025
A vulnerability has been found in obsproject OBS Studio up to 30.0.2 on Windows and classified as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to untrusted search path. The attack needs to be approached locally. The complexity of an attack is rather high. The exploitation appears to be difficult. It is recommended to apply a patch to fix this issue. The vendor disagrees that this issue is "something worth reporting, as every attack surface requires privileged access/user compromise".
Severity CVSS v4.0: LOW
Last modification:
15/04/2026

CVE-2025-0579

Publication date:
20/01/2025
A vulnerability was found in Shiprocket Module 3/4 on OpenCart. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /index.php?route=extension/shiprocket/module/restapi of the component REST API Module. The manipulation of the argument x-username leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: MEDIUM
Last modification:
15/04/2026