Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-27705
Publication date:
19/03/2025
There is a cross-site scripting vulnerability in the Secure<br /> Access administrative console of Absolute Secure Access prior to version 13.53.<br /> Attackers with system administrator permissions can interfere with another<br /> system administrator’s use of the management console when the second<br /> administrator logs in. Attack complexity is high, attack requirements are<br /> present, privileges required are none, user interaction is required. The impact<br /> to confidentiality is low, the impact to availability is none, and the impact<br /> to system integrity is none.
Severity CVSS v4.0: MEDIUM
Last modification:
19/03/2025

CVE-2025-2536
Publication date:
19/03/2025
Cross-site scripting (XSS) vulnerability on Liferay Portal 7.4.3.82 through 7.4.3.128, and Liferay DXP 2024.Q3.0, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 update 82 through update 92 in the Frontend JS module&amp;#39;s layout-taglib/__liferay__/index.js allows remote attackers to inject arbitrary web script or HTML via toastData parameter
Severity CVSS v4.0: MEDIUM
Last modification:
19/03/2025

CVE-2025-2476
Publication date:
19/03/2025
Use after free in Lens in Google Chrome prior to 134.0.6998.117 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)
Severity CVSS v4.0: Pending analysis
Last modification:
01/04/2025

CVE-2025-27415
Publication date:
19/03/2025
Nuxt is an open-source web development framework for Vue.js. Prior to 3.16.0, by sending a crafted HTTP request to a server behind an CDN, it is possible in some circumstances to poison the CDN cache and highly impacts the availability of a site. It is possible to craft a request, such as https://mysite.com/?/_payload.json which will be rendered as JSON. If the CDN in front of a Nuxt site ignores the query string when determining whether to cache a route, then this JSON response could be served to future visitors to the site. An attacker can perform this attack to a vulnerable site in order to make a site unavailable indefinitely. It is also possible in the case where the cache will be reset to make a small script to send a request each X seconds (=caching duration) so that the cache is permanently poisoned making the site completely unavailable. This vulnerability is fixed in 3.16.0.
Severity CVSS v4.0: Pending analysis
Last modification:
19/03/2025

CVE-2025-27704
Publication date:
19/03/2025
There is a cross-site scripting vulnerability in the Secure<br /> Access administrative console of Absolute Secure Access prior to version 13.53.<br /> Attackers with system administrator permissions can interfere with another<br /> system administrator’s use of the management console when the second<br /> administrator logs in. Attack complexity is high, attack requirements are<br /> present, privileges required are none, user interaction is required. The impact<br /> to confidentiality is low, the impact to availability is none, and the impact<br /> to system integrity is none.
Severity CVSS v4.0: MEDIUM
Last modification:
19/03/2025

CVE-2024-57061
Publication date:
19/03/2025
An issue in Termius Version 9.9.0 through v.9.16.0 allows a physically proximate attacker to execute arbitrary code via the insecure Electron Fuses configuration.
Severity CVSS v4.0: Pending analysis
Last modification:
25/03/2025

CVE-2024-7631
Publication date:
19/03/2025
A flaw was found in the OpenShift Console, an endpoint for plugins to serve resources in multiple languages: /locales/resources.json. This endpoint&amp;#39;s lng and ns parameters are used to construct a filepath in pkg/plugins/handlers unsafely.go#L112 Because of this unsafe filepath construction, an authenticated user can manipulate the path to retrieve any JSON files on the console&amp;#39;s pod by using sequences of ../ and valid directory paths.
Severity CVSS v4.0: Pending analysis
Last modification:
19/03/2025

CVE-2024-51459
Publication date:
19/03/2025
IBM InfoSphere Information Server 11.7 could allow a local user to execute privileged commands due to the improper handling of permissions.
Severity CVSS v4.0: Pending analysis
Last modification:
07/07/2025

CVE-2025-29925
Publication date:
19/03/2025
XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, protected pages are listed when requesting the REST endpoints /rest/wikis/[wikiName]/pages even if the user doesn&amp;#39;t have view rights on them. It&amp;#39;s particularly true if the entire wiki is protected with "Prevent unregistered user to view pages": the endpoint would still list the pages of the wiki, though only for the main wiki. The problem has been patched in XWiki 15.10.14, 16.4.6, 16.10.0RC1. In those versions the endpoint can still be requested but the result is filtered out based on pages rights.
Severity CVSS v4.0: HIGH
Last modification:
30/04/2025

CVE-2025-29924
Publication date:
19/03/2025
XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, it&amp;#39;s possible for an user to get access to private information through the REST API - but could also be through another API - when a sub wiki is using "Prevent unregistered users to view pages". The vulnerability only affects subwikis, and it only concerns specific right options such as "Prevent unregistered users to view pages". or "Prevent unregistered users to edit pages". It&amp;#39;s possible to detect the vulnerability by enabling "Prevent unregistered users to view pages" and then trying to access a page through the REST API without using any credentials. The vulnerability has been patched in XWiki 15.10.14, 16.4.6 and 16.10.0RC1.
Severity CVSS v4.0: HIGH
Last modification:
30/04/2025

CVE-2025-29926
Publication date:
19/03/2025
XWiki Platform is a generic wiki platform. Prior to 15.10.15, 16.4.6, and 16.10.0, any user can exploit the WikiManager REST API to create a new wiki, where the user could become an administrator and so performs other attacks on the farm. Note that this REST API is not bundled in XWiki Standard by default: it needs to be installed manually through the extension manager. The problem has been patched in versions 15.10.15, 16.4.6 and 16.10.0 of the REST module.
Severity CVSS v4.0: HIGH
Last modification:
13/05/2025

CVE-2025-29405
Publication date:
19/03/2025
An arbitrary file upload vulnerability in the component /admin/template.php of emlog pro 2.5.0 and pro 2.5.* allows attackers to execute arbitrary code via uploading a crafted PHP file.
Severity CVSS v4.0: Pending analysis
Last modification:
12/06/2025
Subscribe to Vulnerabilities