Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-8035
Publication date:
22/07/2025
Memory safety bugs present in Firefox ESR 128.12, Thunderbird ESR 128.12, Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox
Severity CVSS v4.0: Pending analysis
Last modification:
23/07/2025

CVE-2025-7723
Publication date:
22/07/2025
A command injection vulnerability exists that can be exploited after authentication in VIGI NVR1104H-4P V1 and VIGI NVR2016H-16MP V2.This issue affects VIGI NVR1104H-4P V1: before 1.1.5 Build 250518; VIGI NVR2016H-16MP V2: before 1.3.1 Build 250407.
Severity CVSS v4.0: HIGH
Last modification:
22/07/2025

CVE-2025-8027
Publication date:
22/07/2025
On 64-bit platforms IonMonkey-JIT only wrote 32 bits of the 64-bit return value space on the stack. Baseline-JIT, however, read the entire 64 bits. This vulnerability affects Firefox
Severity CVSS v4.0: Pending analysis
Last modification:
23/07/2025

CVE-2025-8028
Publication date:
22/07/2025
On arm64, a WASM `br_table` instruction with a lot of entries could lead to the label being too far from the instruction causing truncation and incorrect computation of the branch address. This vulnerability affects Firefox
Severity CVSS v4.0: Pending analysis
Last modification:
23/07/2025

CVE-2025-7724
Publication date:
22/07/2025
An unauthenticated OS command injection vulnerability exists in VIGI NVR1104H-4P V1 and VIGI NVR2016H-16MP V2.This issue affects VIGI NVR1104H-4P V1: before 1.1.5 Build 250518; VIGI NVR2016H-16MP V2: before 1.3.1 Build 250407.
Severity CVSS v4.0: HIGH
Last modification:
23/07/2025

CVE-2025-51462
Publication date:
22/07/2025
Stored Cross-site Scripting (XSS) vulnerability in api.apps.dialog_app.set_dialog in RAGFlow 0.17.2 allows remote attackers to execute arbitrary JavaScript via crafted input to the assistant greeting field, which is stored unsanitised and rendered using a markdown component with rehype-raw.
Severity CVSS v4.0: Pending analysis
Last modification:
22/07/2025

CVE-2025-51458
Publication date:
22/07/2025
SQL Injection in editor_sql_run and query_ex in eosphoros-ai DB-GPT 0.7.0 allows remote attackers to execute arbitrary SQL statements via crafted input passed to the /v1/editor/sql/run or /v1/editor/chart/run endpoints, interacting with api_editor_v1.editor_sql_run, editor_chart_run, and datasource.rdbms.base.query_ex.
Severity CVSS v4.0: Pending analysis
Last modification:
22/07/2025

CVE-2025-51475
Publication date:
22/07/2025
Arbitrary File Overwrite (AFO) in superagi.controllers.resources.upload in TransformerOptimus SuperAGI 0.0.14 allows remote attackers to overwrite arbitrary files via unsanitised filenames submitted to the file upload endpoint, due to improper handling of directory traversal in os.path.join() and lack of path validation in get_root_input_dir().
Severity CVSS v4.0: Pending analysis
Last modification:
22/07/2025

CVE-2025-31513
Publication date:
22/07/2025
An issue was discovered in AlertEnterprise Guardian 4.1.14.2.2.1. One can elevate to administrator privileges via the IsAdminApprover parameter in a Request%20Building%20Access requestSubmit API call.
Severity CVSS v4.0: Pending analysis
Last modification:
22/07/2025

CVE-2025-51472
Publication date:
22/07/2025
Code Injection in AgentTemplate.eval_agent_config in TransformerOptimus SuperAGI 0.0.14 allows remote attackers to execute arbitrary Python code via malicious values in agent template configurations such as the goal, constraints, or instruction field, which are evaluated using eval() without validation during template loading or updates.
Severity CVSS v4.0: Pending analysis
Last modification:
22/07/2025

CVE-2025-31511
Publication date:
22/07/2025
An issue was discovered in AlertEnterprise Guardian 4.1.14.2.2.1. One can bypass manager approval by changing the user ID in a Request%20Building%20Access requestSubmit API call.
Severity CVSS v4.0: Pending analysis
Last modification:
22/07/2025

CVE-2025-31512
Publication date:
22/07/2025
An issue was discovered in AlertEnterprise Guardian 4.1.14.2.2.1. One can bypass manager approval via isAddedByApprover in a Request%20Building%20Access requestSubmit API call.
Severity CVSS v4.0: Pending analysis
Last modification:
22/07/2025
Subscribe to Vulnerabilities