Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-34212

Publication date:

29/09/2025

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.843 and Application prior to version 20.0.1923 (VA/SaaS deployments) possess CI/CD weaknesses: the build pulls an unverified third-party image, downloads the VirtualBox Extension Pack over plain HTTP without signature validation, and grants the jenkins account NOPASSWD for mount/umount. Together these allow supply chain or man-in-the-middle compromise of the build pipeline, injection of malicious firmware, and remote code execution as root on the CI host. This vulnerability has been identified by the vendor as: V-2023-007 — Supply Chain Attack.

Severity CVSS v4.0: HIGH

Last modification:

09/10/2025

CVE-2025-30247

Publication date:

29/09/2025

An OS command injection vulnerability in user interface in Western Digital My Cloud firmware prior to 5.31.108 on NAS platforms allows remote attackers to execute arbitrary system commands via a specially crafted HTTP POST.

Severity CVSS v4.0: CRITICAL

Last modification:

02/10/2025

CVE-2025-35034

Publication date:

29/09/2025

Medical Informatics Engineering Enterprise Health has a reflected cross site scripting vulnerability in the &#39;portlet_user_id&#39; URL parameter. A remote, unauthenticated attacker can craft a URL that can execute arbitrary JavaScript in the victim&#39;s browser. This issue is fixed as of 2025-03-14.

Severity CVSS v4.0: MEDIUM

Last modification:

02/10/2025

CVE-2025-56764

Publication date:

29/09/2025

Trivision NC-227WF firmware 5.80 (build 20141010) login mechanism reveals whether a username exists or not by returning different error messages ("Unknown user" vs. "Wrong password"), allowing an attacker to enumerate valid usernames.

Severity CVSS v4.0: Pending analysis

Last modification:

11/11/2025

CVE-2025-35030

Publication date:

29/09/2025

Medical Informatics Engineering Enterprise Health has a cross site request forgery vulnerability that allows an unauthenticated attacker to trick administrative users into clicking a crafted URL and perform actions on behalf of that administrative user. This issue is fixed as of 2025-04-08.

Severity CVSS v4.0: HIGH

Last modification:

02/10/2025

CVE-2025-35031

Publication date:

29/09/2025

Medical Informatics Engineering Enterprise Health includes the user&#39;s current session token in debug output. An attacker could convince a user to send this output to the attacker, thus allowing the attacker to impersonate that user. This issue is fixed as of 2025-04-08.

Severity CVSS v4.0: MEDIUM

Last modification:

02/10/2025

CVE-2025-35032

Publication date:

29/09/2025

Medical Informatics Engineering Enterprise Health allows authenticated users to upload arbitrary files. The impact of this behavior depends on how files are accessed. This issue is fixed as of 2025-04-08.

Severity CVSS v4.0: MEDIUM

Last modification:

02/10/2025

CVE-2025-35033

Publication date:

29/09/2025

Medical Informatics Engineering Enterprise Health has a CSV injection vulnerability that allows a remote, authenticated attacker to inject macros in downloadable CSV files. This issue is fixed as of 2025-03-14.

Severity CVSS v4.0: MEDIUM

Last modification:

02/10/2025

CVE-2025-57878

Publication date:

29/09/2025

There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplifying phishing attacks.

Severity CVSS v4.0: Pending analysis

Last modification:

17/10/2025

CVE-2025-57879

Publication date:

29/09/2025

Severity CVSS v4.0: Pending analysis

Last modification:

17/10/2025

CVE-2025-57872

Publication date:

29/09/2025

Severity CVSS v4.0: Pending analysis

Last modification:

17/10/2025

CVE-2025-57873

Publication date:

29/09/2025

There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser.

Severity CVSS v4.0: Pending analysis

Last modification:

17/10/2025

Subscribe to Vulnerabilities