Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-59685
Publication date:
01/10/2025
Kazaar 1.25.12 allows a JWT with none in the alg field.
Severity CVSS v4.0: Pending analysis
Last modification:
28/10/2025

CVE-2025-59686
Publication date:
01/10/2025
Kazaar 1.25.12 allows /api/v1/org-id/orders/order-id/documents calls with a modified order-id.
Severity CVSS v4.0: Pending analysis
Last modification:
28/10/2025

CVE-2025-59687
Publication date:
01/10/2025
IMPAQTR Aurora before 1.36 allows Insecure Direct Object Reference attacks against the users list, organization details, bookmarks, and notifications of an arbitrary organization.
Severity CVSS v4.0: Pending analysis
Last modification:
21/10/2025

CVE-2025-57275
Publication date:
01/10/2025
Storage Performance Development Kit (SPDK) 25.05 is vulnerable to Buffer Overflow in the NVMe-oF target component in SPDK - lib/nvmf.
Severity CVSS v4.0: Pending analysis
Last modification:
21/10/2025

CVE-2025-59684
Publication date:
01/10/2025
DigiSign DigiSigner ONE 1.0.4.60 allows DLL Hijacking.
Severity CVSS v4.0: Pending analysis
Last modification:
08/10/2025

CVE-2025-52040
Publication date:
01/10/2025
In Frappe ERPNext 15.57.5, the function get_blanket_orders() at erpnext/controllers/queries.py is vulnerable to SQL Injection, which allows an attacker can extract all information from databases by injecting a SQL query into the blanket_order_type parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
03/10/2025

CVE-2025-52041
Publication date:
01/10/2025
In Frappe ERPNext 15.57.5, the function get_stock_balance_for() at erpnext/stock/doctype/stock_reconciliation/stock_reconciliation.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting a SQL query into the inventory_dimensions_dict parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
03/10/2025

CVE-2025-52042
Publication date:
01/10/2025
In Frappe ERPNext 15.57.5, the function get_rfq_containing_supplier() at erpnext/buying/doctype/request_for_quotation/request_for_quotation.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting SQL query via the txt parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
03/10/2025

CVE-2025-52039
Publication date:
01/10/2025
In Frappe ERPNext 15.57.5, the function get_material_requests_based_on_supplier() at erpnext/stock/doctype/material_request/material_request.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting a SQL query into the txt parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
03/10/2025

CVE-2025-41421
Publication date:
01/10/2025
Improper handling of symbolic links in the TeamViewer Full Client and Host for Windows — in versions prior to 15.70 of TeamViewer Remote and Tensor — allows an attacker with local, unprivileged access to a device lacking adequate malware protection to escalate privileges by spoofing the update file path. This may result in unauthorized access to sensitive information.
Severity CVSS v4.0: Pending analysis
Last modification:
02/10/2025

CVE-2025-40647
Publication date:
01/10/2025
Stored Cross-Site Scripting (XSS) vulnerability in Issabel v5.0.0, consisting of a stored XSS due to a lack of proper validation of user input, through the 'email' parameter in '/index.php?menu=address_book'.
Severity CVSS v4.0: MEDIUM
Last modification:
02/10/2025

CVE-2025-40648
Publication date:
01/10/2025
Stored Cross-Site Scripting (XSS) vulnerability in Issabel v5.0.0, consisting of a stored XSS due to a lack of proper validation of user input, through the 'numero_conferencia' parameter in '/index.php?menu=conferencia'.
Severity CVSS v4.0: MEDIUM
Last modification:
02/10/2025
Subscribe to Vulnerabilities