Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-53388

Publication date:
03/03/2025
A DOM Clobbering vulnerability in mavo v0.3.2 allows attackers to execute arbitrary code via supplying a crafted HTML element.
Severity CVSS v4.0: Pending analysis
Last modification:
07/07/2025

CVE-2024-53387

Publication date:
03/03/2025
A DOM Clobbering vulnerability in umeditor v1.2.3 allows attackers to execute arbitrary code via supplying a crafted HTML element.
Severity CVSS v4.0: Pending analysis
Last modification:
07/07/2025

CVE-2024-57240

Publication date:
03/03/2025
A Cross-Site Scripting (XSS) vulnerability in the Rendering Engine component in Apryse WebViewer v11.1 and earlier allows attackers to execute arbitrary code via a crafted PDF file.
Severity CVSS v4.0: Pending analysis
Last modification:
10/07/2025

CVE-2024-45782

Publication date:
03/03/2025
A flaw was found in the HFS filesystem. When reading an HFS volume's name at grub_fs_mount(), the HFS filesystem driver performs a strcpy() using the user-provided volume name as input without properly validating the volume name's length. This issue may read to a heap-based out-of-bounds writer, impacting grub's sensitive data integrity and eventually leading to a secure boot protection bypass.
Severity CVSS v4.0: Pending analysis
Last modification:
25/03/2025

CVE-2024-45778

Publication date:
03/03/2025
A stack overflow flaw was found when reading a BFS file system. A crafted BFS filesystem may lead to an uncontrolled loop, causing grub2 to crash.
Severity CVSS v4.0: Pending analysis
Last modification:
07/03/2025

CVE-2025-27419

Publication date:
03/03/2025
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. A Denial of Service (DoS) vulnerability exists in WeGIA. This vulnerability allows any unauthenticated user to cause the server to become unresponsive by performing aggressive spidering. The vulnerability is caused by recursive crawling of dynamically generated URLs and insufficient handling of large volumes of requests. This vulnerability is fixed in 3.2.16.
Severity CVSS v4.0: CRITICAL
Last modification:
07/03/2025

CVE-2025-27420

Publication date:
03/03/2025
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. A Stored Cross-Site Scripting (XSS) vulnerability was identified in the atendido_parentesco_adicionar.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the descricao parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk. This vulnerability fix in 3.2.16.
Severity CVSS v4.0: MEDIUM
Last modification:
10/04/2025

CVE-2025-27418

Publication date:
03/03/2025
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. A Stored Cross-Site Scripting (XSS) vulnerability was identified in the adicionar_tipo_atendido.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the tipo parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk. This vulnerability is fixed in 3.2.16.
Severity CVSS v4.0: MEDIUM
Last modification:
10/04/2025

CVE-2025-27417

Publication date:
03/03/2025
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. A Stored Cross-Site Scripting (XSS) vulnerability was identified in the adicionar_status_atendido.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the status parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk. This vulnerability is fixed in 3.2.16.
Severity CVSS v4.0: MEDIUM
Last modification:
11/04/2025

CVE-2025-27099

Publication date:
03/03/2025
Tuleap is an Open Source Suite to improve management of software developments and collaboration. Tuleap allows cross-site scripting (XSS) via the tracker names used in the semantic timeframe deletion message. A tracker administrator with a semantic timeframe used by other trackers could use this vulnerability to force other tracker administrators to execute uncontrolled code. This vulnerability is fixed in Tuleap Community Edition 16.4.99.1740067916 and Tuleap Enterprise Edition 16.4-5 and 16.3-10.
Severity CVSS v4.0: Pending analysis
Last modification:
10/07/2025

CVE-2025-27094

Publication date:
03/03/2025
Tuleap is an open-source suite designed to improve software development management and collaboration. A malicious user with access to a tracker could force-reset certain field configurations, leading to potential information loss. The display time attribute for the date field, the size attribute for the multiselectbox field, the default value, number of rows, and columns attributes for the text field, and the default value, size, and max characters attributes for the string field configurations are lost when added as criteria in a saved report. Additionally, in Tuleap Community Edition versions 16.4.99.1739806825 to 16.4.99.1739877910, this issue could be exploited to prevent access to tracker data by triggering a crash. This vulnerability has been fixed in Tuleap Community Edition 16.4.99.1739877910 and Tuleap Enterprise Edition 16.3-9 and 16.4-4.
Severity CVSS v4.0: Pending analysis
Last modification:
10/07/2025

CVE-2025-25185

Publication date:
03/03/2025
GPT Academic provides interactive interfaces for large language models. In 3.91 and earlier, GPT Academic does not properly account for soft links. An attacker can create a malicious file as a soft link pointing to a target file, then package this soft link file into a tar.gz file and upload it. Subsequently, when accessing the decompressed file from the server, the soft link will point to the target file on the victim server. The vulnerability allows attackers to read all files on the server.
Severity CVSS v4.0: Pending analysis
Last modification:
07/03/2025