Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-48924
Publication date:
11/07/2025
Uncontrolled Recursion vulnerability in Apache Commons Lang.<br /> <br /> This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.<br /> <br /> The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a <br /> StackOverflowError could cause an application to stop.<br /> <br /> Users are recommended to upgrade to version 3.18.0, which fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
11/07/2025

CVE-2025-52089
Publication date:
11/07/2025
A hidden remote support feature protected by a static secret in TOTOLINK N300RB firmware version 8.54 allows an authenticated attacker to execute arbitrary OS commands with root privileges.
Severity CVSS v4.0: Pending analysis
Last modification:
11/07/2025

CVE-2023-38327
Publication date:
11/07/2025
An issue was discovered in eGroupWare 17.1.20190111. A User Enumeration vulnerability exists under calendar/freebusy.php, which allows unauthenticated remote attackers to enumerate the users of web applications based on server response.
Severity CVSS v4.0: Pending analysis
Last modification:
11/07/2025

CVE-2023-38329
Publication date:
11/07/2025
An issue was discovered in eGroupWare 17.1.20190111. A cross-site scripting Reflected (XSS) vulnerability exists in calendar/freebusy.php, which allows unauthenticated remote attackers to inject arbitrary web script or HTML into the "user" HTTP/GET parameter, which reflects its input without sanitization.
Severity CVSS v4.0: Pending analysis
Last modification:
11/07/2025

CVE-2025-51591
Publication date:
11/07/2025
A Server-Side Request Forgery (SSRF) in JGM Pandoc v3.6.4 allows attackers to gain access to and compromise the whole infrastructure via injecting a crafted iframe.
Severity CVSS v4.0: Pending analysis
Last modification:
11/07/2025

CVE-2025-53861
Publication date:
11/07/2025
A flaw was found in Ansible. Sensitive cookies without security flags over non-encrypted channels can lead to Man-in-the-Middle (MitM) and Cross-site scripting (XSS) attacks allowing attackers to read transmitted data.
Severity CVSS v4.0: Pending analysis
Last modification:
11/07/2025

CVE-2025-53862
Publication date:
11/07/2025
A flaw was found in Ansible. Three API endpoints are accessible and return verbose, unauthenticated responses. This flaw allows a malicious user to access data that may contain important information.
Severity CVSS v4.0: Pending analysis
Last modification:
11/07/2025

CVE-2025-6788
Publication date:
11/07/2025
CWE-668: Exposure of Resource to Wrong Sphere vulnerability exists that exposes TGML diagram resources<br /> to the wrong control sphere, providing other authenticated users with potentially inappropriate access to TGML<br /> diagrams.
Severity CVSS v4.0: MEDIUM
Last modification:
11/07/2025

CVE-2025-50125
Publication date:
11/07/2025
CWE-918: Server-Side Request Forgery (SSRF) vulnerability exists that could cause unauthenticated remote<br /> code execution when the server is accessed via the network with knowledge of hidden URLs and manipulation<br /> of host request header.
Severity CVSS v4.0: MEDIUM
Last modification:
11/07/2025

CVE-2025-50124
Publication date:
11/07/2025
CWE-269: Improper Privilege Management vulnerability exists that could cause privilege escalation when the<br /> server is accessed by a privileged account via a console and through exploitation of a setup script.
Severity CVSS v4.0: HIGH
Last modification:
11/07/2025

CVE-2025-50121
Publication date:
11/07/2025
CWE-78: Improper Neutralization of Special Elements used in an OS Command (&amp;#39;OS Command Injection&amp;#39;)<br /> vulnerability exists that could cause unauthenticated remote code execution when a malicious folder is created<br /> over the web interface HTTP when enabled. HTTP is disabled by default.
Severity CVSS v4.0: CRITICAL
Last modification:
11/07/2025

CVE-2025-50122
Publication date:
11/07/2025
CWE-331: Insufficient Entropy vulnerability exists that could cause root password discovery when the<br /> password generation algorithm is reverse engineered with access to installation or upgrade artifacts.
Severity CVSS v4.0: HIGH
Last modification:
11/07/2025
Subscribe to Vulnerabilities