Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-58166
Publication date:
03/09/2025
Rejected reason: This CVE is a duplicate of another CVE.
Severity CVSS v4.0: Pending analysis
Last modification:
03/09/2025

CVE-2025-58167
Publication date:
03/09/2025
Rejected reason: This CVE is a duplicate of another CVE.
Severity CVSS v4.0: Pending analysis
Last modification:
03/09/2025

CVE-2025-58168
Publication date:
03/09/2025
Rejected reason: This CVE is a duplicate of another CVE.
Severity CVSS v4.0: Pending analysis
Last modification:
03/09/2025

CVE-2025-58169
Publication date:
03/09/2025
Rejected reason: This CVE is a duplicate of another CVE.
Severity CVSS v4.0: Pending analysis
Last modification:
03/09/2025

CVE-2025-58170
Publication date:
03/09/2025
Rejected reason: This CVE is a duplicate of another CVE.
Severity CVSS v4.0: Pending analysis
Last modification:
03/09/2025

CVE-2025-7039
Publication date:
03/09/2025
A flaw was found in glib. An integer overflow during temporary file creation leads to an out-of-bounds memory access, allowing an attacker to potentially perform path traversal or access private temporary file content by creating symbolic links. This vulnerability allows a local attacker to manipulate file paths and access unauthorized data. The core issue stems from insufficient validation of file path lengths during temporary file operations.
Severity CVSS v4.0: Pending analysis
Last modification:
04/09/2025

CVE-2025-9847
Publication date:
03/09/2025
A weakness has been identified in ScriptAndTools Real Estate Management System 1.0. Impacted is an unknown function of the file register.php. This manipulation of the argument uimage causes unrestricted upload. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be exploited.
Severity CVSS v4.0: MEDIUM
Last modification:
10/09/2025

CVE-2025-9848
Publication date:
03/09/2025
A security vulnerability has been detected in ScriptAndTools Real Estate Management System 1.0. The affected element is an unknown function of the file /admin/userlist.php. Such manipulation leads to execution after redirect. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
10/09/2025

CVE-2025-58163
Publication date:
03/09/2025
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Versions 1.8.185 and earlier contain a deserialization of untrusted data vulnerability that allows authenticated attackers with knowledge of the application's APP_KEY to achieve remote code execution. The vulnerability is exploited via endpoint, e.g.: `/help/{mailbox_id}/auth/{customer_id}/{hash}/{timestamp}` where the `customer_id` and `timestamp` parameters are processed through the decrypt function in `app/Helper.php` without proper validation. The code decrypts using Laravel's built-in encryption functions, which subsequently deserialize the decrypted payload without sanitization, allowing attackers to craft malicious serialized PHP objects using classes to trigger arbitrary command execution. This is fixed in version 1.8.186.
Severity CVSS v4.0: HIGH
Last modification:
08/09/2025

CVE-2025-57806
Publication date:
03/09/2025
Local Deep Research is an AI-powered research assistant for deep, iterative research. Versions 0.2.0 through 0.6.7 stored confidential information, including API keys, in a local SQLite database without encryption. This behavior was not clearly documented outside of the database architecture page. Users were not given the ability to configure the database location, allowing anyone with access to the container or host filesystem to retrieve sensitive data in plaintext by accessing the .db file. This is fixed in version 1.0.0.
Severity CVSS v4.0: MEDIUM
Last modification:
04/09/2025

CVE-2025-9843
Publication date:
03/09/2025
A flaw has been found in Das Parking Management System 停车场管理系统 6.2.0. Affected is an unknown function of the file /Operator/FindAll. This manipulation causes information disclosure. It is possible to initiate the attack remotely. The exploit has been published and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
20/10/2025

CVE-2025-9845
Publication date:
03/09/2025
A vulnerability has been found in code-projects Fruit Shop Management System 1.0. Affected by this vulnerability is an unknown functionality of the file products.php. Such manipulation of the argument product_code/gen_name/product_name/supplier leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
08/09/2025
Subscribe to Vulnerabilities