Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-54780
Publication date:
05/08/2025
The glpi-screenshot-plugin allows users to take screenshots or screens recording directly from GLPI. In versions below 2.0.2, authenticated user can use the /ajax/screenshot.php endpoint to leak files from the system or use PHP wrappers. This is fixed in version 2.0.2.
Severity CVSS v4.0: Pending analysis
Last modification:
05/08/2025

CVE-2025-54119
Publication date:
05/08/2025
ADOdb is a PHP database class library that provides abstractions for performing queries and managing databases. In versions 5.22.9 and below, improper escaping of a query parameter may allow an attacker to execute arbitrary SQL statements when the code using ADOdb connects to a sqlite3 database and calls the metaColumns(), metaForeignKeys() or metaIndexes() methods with a crafted table name. This is fixed in version 5.22.10. To workaround this issue, only pass controlled data to metaColumns(), metaForeignKeys() and metaIndexes() method's $table parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2025-53544
Publication date:
05/08/2025
Trilium Notes is an open-source, cross-platform hierarchical note taking application with focus on building large personal knowledge bases. In versions below 0.97.0, a brute-force protection bypass in the initial sync seed retrieval endpoint allows unauthenticated attackers to guess the login password without triggering rate limiting. Trilium is a single-user app without a username requirement, and brute-force protection bypass makes exploitation much more feasible. Multiple features provided by Trilium (e.g. MFA, share notes, custom request handler) indicate that Trilium can be exposed to the internet. This is fixed in version 0.97.0.
Severity CVSS v4.0: Pending analysis
Last modification:
05/08/2025

CVE-2025-52892
Publication date:
05/08/2025
EspoCRM is a web application with a frontend designed as a single-page application and a REST API backend written in PHP. In versions 9.1.6 and below, if a user loads Espo in the browser with double slashes (e.g https://domain//#Admin) and the webserver does not strip the double slash, it can cause a corrupted Slim router's cache. This will make the instance unusable until there is a completed rebuild. This is fixed in version 9.1.7.
Severity CVSS v4.0: Pending analysis
Last modification:
11/09/2025

CVE-2025-54797
Publication date:
05/08/2025
Rejected reason: This CVE is a duplicate of CVE-2025-52464.
Severity CVSS v4.0: Pending analysis
Last modification:
05/08/2025

CVE-2025-8534
Publication date:
05/08/2025
A vulnerability classified as problematic was found in libtiff 4.6.0. This vulnerability affects the function PS_Lvl2page of the file tools/tiff2ps.c of the component tiff2ps. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 6ba36f159fd396ad11bf6b7874554197736ecc8b. It is recommended to apply a patch to fix this issue. One of the maintainers explains, that "[t]his error only occurs if DEFER_STRILE_LOAD (defer-strile-load:BOOL=ON) or TIFFOpen( .. "rD") option is used."
Severity CVSS v4.0: LOW
Last modification:
11/09/2025

CVE-2025-46093
Publication date:
04/08/2025
LiquidFiles before 4.1.2 supports FTP SITE CHMOD for mode 6777 (setuid and setgid), which allows FTPDrop users to execute arbitrary code as root by leveraging the Actionscript feature and the sudoers configuration.
Severity CVSS v4.0: Pending analysis
Last modification:
07/08/2025

CVE-2025-46094
Publication date:
04/08/2025
LiquidFiles before 4.1.2 allows directory traversal by configuring the pathname of a local executable file as an Actionscript.
Severity CVSS v4.0: Pending analysis
Last modification:
07/08/2025

CVE-2025-8529
Publication date:
04/08/2025
A vulnerability classified as critical was found in cloudfavorites favorites-web up to 1.3.0. Affected by this vulnerability is the function getCollectLogoUrl of the file app/src/main/java/com/favorites/web/CollectController.java. The manipulation of the argument url leads to server-side request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
05/08/2025

CVE-2025-8530
Publication date:
04/08/2025
A vulnerability, which was classified as problematic, has been found in elunez eladmin up to 2.7. Affected by this issue is some unknown functionality of the file eladmin-system\src\main\resources\config\application-prod.yml of the component Druid. The manipulation of the argument login-username/login-password leads to use of default credentials. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
12/09/2025

CVE-2025-27211
Publication date:
04/08/2025
An Improper Input Validation in EdgeMAX EdgeSwitch (Version 1.10.4 and earlier) could allow a Command Injection by a malicious actor with access to EdgeSwitch adjacent network.
Severity CVSS v4.0: Pending analysis
Last modification:
05/08/2025

CVE-2025-27212
Publication date:
04/08/2025
An Improper Input Validation in certain UniFi Access devices could allow a Command Injection by a malicious actor with access to UniFi Access management network.<br /> <br /> <br /> <br /> Affected Products:<br /> UniFi Access Reader Pro (Version 2.14.21 and earlier)<br /> UniFi Access G2 Reader Pro (Version 1.10.32 and earlier)<br /> UniFi Access G3 Reader Pro (Version 1.10.30 and earlier)<br /> UniFi Access Intercom (Version 1.7.28 and earlier)<br /> UniFi Access G3 Intercom (Version 1.7.29 and earlier)<br /> UniFi Access Intercom Viewer (Version 1.3.20 and earlier)<br /> <br /> <br /> <br /> Mitigation:<br /> Update UniFi Access Reader Pro Version 2.15.9 or later<br /> Update UniFi Access G2 Reader Pro Version 1.11.23 or later<br /> Update UniFi Access G3 Reader Pro Version 1.11.22 or later<br /> Update UniFi Access Intercom Version 1.8.22 or later<br /> Update UniFi Access G3 Intercom Version 1.8.22 or later<br /> Update UniFi Access Intercom Viewer Version 1.4.39 or later
Severity CVSS v4.0: Pending analysis
Last modification:
05/08/2025
Subscribe to Vulnerabilities