Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-57107

Publication date:

31/10/2025

Kitware VTK (Visualization Toolkit) through 9.5.0 contains a heap buffer overflow vulnerability in vtkGLTFDocumentLoader. When processing specially crafted GLTF files, the copy constructor of Accessor objects fails to properly validate buffer boundaries before performing memory read operations.

Severity CVSS v4.0: Pending analysis

Last modification:

05/11/2025

CVE-2025-57106

Publication date:

31/10/2025

Kitware VTK (Visualization Toolkit) up to 9.5.0 is vulnerable to Buffer Overflow in vtkGLTFDocumentLoader. The vulnerability occurs in the BufferDataExtractionWorker template function when processing GLTF accessor data.

Severity CVSS v4.0: Pending analysis

Last modification:

05/11/2025

CVE-2025-12501

Publication date:

31/10/2025

Integer overflow in GameMaker IDE below 2024.14.0 version can lead to can lead to application crashes through denial-of-service attacks (DoS). GameMaker users who use the network_create_server() function in their projects are urged to update and recompile immediately.

Severity CVSS v4.0: Pending analysis

Last modification:

04/11/2025

CVE-2025-64386

Publication date:

31/10/2025

The equipment grants a JWT token for each connection in the timeline, but during an active valid session, a hijacking of the token can be done. This will allow an attacker with the token modify parameters of security, access or even steal the session without the legitimate and active session detecting it. The web server allows the attacker to reuse an old session JWT token while the legitimate session is active.

Severity CVSS v4.0: HIGH

Last modification:

04/11/2025

CVE-2025-12460

Publication date:

31/10/2025

An XSS issue was discovered in Afterlogic Aurora webmail version 9.8.3 and below. An attacker can send a specially crafted HTML e-mail message with JavaScript in an img HTML tag. This could allow a remote attacker to load arbitrary JavaScript code in the context of a webmail user&#39;s browser window, and access user data.

Severity CVSS v4.0: MEDIUM

Last modification:

04/11/2025

CVE-2025-12521

Publication date:

31/10/2025

The Analytify Pro plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.0.3 via the Analytify Tag HTML details. This makes it possible for unauthenticated attackers to extract usernames from source code. While we generally do not assign CVE IDs to username exposure issues, this vendor has specifically requested we consider it a vulnerability.

Severity CVSS v4.0: Pending analysis

Last modification:

04/11/2025

CVE-2025-4952

Publication date:

31/10/2025

Tampering of the registry entries might have led to preventing the ESET security products from starting correctly on the next system startup or to unauthorized changes in the product&#39;s configuration.

Severity CVSS v4.0: MEDIUM

Last modification:

04/11/2025

CVE-2024-13992

Publication date:

31/10/2025

Nagios XI versions prior to

Severity CVSS v4.0: MEDIUM

Last modification:

06/11/2025

CVE-2025-36249

Publication date:

31/10/2025

IBM Jazz for Service Management 1.1.3.0 through 1.1.3.25 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.

Severity CVSS v4.0: Pending analysis

Last modification:

05/11/2025

CVE-2025-33003

Publication date:

31/10/2025

IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 could allow a non-root user to gain higher privileges/capabilities within the scope of a container due to execution with unnecessary privileges.

Severity CVSS v4.0: Pending analysis

Last modification:

05/11/2025

CVE-2025-64366

Publication date:

31/10/2025

Improper Neutralization of Special Elements used in an SQL Command (&#39;SQL Injection&#39;) vulnerability in Stylemix MasterStudy LMS masterstudy-lms-learning-management-system allows Blind SQL Injection.This issue affects MasterStudy LMS: from n/a through

Severity CVSS v4.0: Pending analysis

Last modification:

20/01/2026

CVE-2025-64367

Publication date:

31/10/2025

Improper Neutralization of Input During Web Page Generation (&#39;Cross-site Scripting&#39;) vulnerability in Adrian Tobey Groundhogg groundhogg allows Stored XSS.This issue affects Groundhogg: from n/a through

Severity CVSS v4.0: Pending analysis

Last modification:

20/01/2026

Subscribe to Vulnerabilities