Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-1349
Publication date:
18/06/2025
IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.0.0.0 through 6.1.2.6 and 6.2.0.0 through 6.2.0.4 <br /> <br /> is vulnerable to stored cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Severity CVSS v4.0: Pending analysis
Last modification:
23/06/2025

CVE-2025-20234
Publication date:
18/06/2025
A vulnerability in Universal Disk Format (UDF) processing of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.<br /> <br /> This vulnerability is due to a memory overread during UDF file scanning. An attacker could exploit this vulnerability by submitting a crafted file containing UDF content to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to terminate the ClamAV scanning process, resulting in a DoS condition on the affected software.<br /> For a description of this vulnerability, see the .
Severity CVSS v4.0: Pending analysis
Last modification:
23/06/2025

CVE-2025-4820
Publication date:
18/06/2025
Impact<br /> <br /> Cloudflare quiche was discovered to be vulnerable to incorrect congestion window growth, which could cause it to send data at a rate faster than the path might actually support.<br /> <br /> An unauthenticated remote attacker can exploit the vulnerability by first completing a handshake and initiating a congestion-controlled data transfer towards itself. Then, it could manipulate the victim&amp;#39;s congestion control state by sending ACK frames exercising an opportunistic ACK attack; see RFC 9000 Section 21.4. The victim could grow the congestion window beyond typical expectations and allow more bytes in flight than the path might really support.<br /> <br /> <br /> <br /> Patches<br /> <br /> <br /> quiche 0.24.4 is the earliest version containing the fix for this issue.
Severity CVSS v4.0: Pending analysis
Last modification:
23/06/2025

CVE-2025-4821
Publication date:
18/06/2025
Impact<br /> <br /> Cloudflare quiche was discovered to be vulnerable to incorrect congestion window growth, which could cause it to send data at a rate faster than the path might actually support.<br /> <br /> An unauthenticated remote attacker can exploit the vulnerability by first completing a handshake and initiating a congestion-controlled data transfer towards itself. Then, it could manipulate the victim&amp;#39;s congestion control state by sending ACK frames covering a large range of packet numbers (including packet numbers that had never been sent); see RFC 9000 Section 19.3. The victim could grow the congestion window beyond typical expectations and allow more bytes in flight than the path might really support. In extreme cases, the window might grow beyond the limit of the internal variable&amp;#39;s type, leading to an overflow panic.<br /> <br /> <br /> <br /> Patches<br /> <br /> <br /> quiche 0.24.4 is the earliest version containing the fix for this issue.
Severity CVSS v4.0: Pending analysis
Last modification:
23/06/2025

CVE-2025-36048
Publication date:
18/06/2025
IBM webMethods Integration Server 10.5, 10.7, 10.11, and 10.15 could allow a privileged user to escalate their privileges when handling external entities due to execution with unnecessary privileges.
Severity CVSS v4.0: Pending analysis
Last modification:
23/06/2025

CVE-2025-36049
Publication date:
18/06/2025
IBM webMethods Integration Server 10.5, 10.7, 10.11, and 10.15 <br /> <br /> is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote authenticated attacker could exploit this vulnerability to execute arbitrary commands.
Severity CVSS v4.0: Pending analysis
Last modification:
23/06/2025

CVE-2025-44952
Publication date:
18/06/2025
A missing length check in `ogs_pfcp_subnet_add` function from PFCP library, used by both smf and upf in open5gs 2.7.2 and earlier, allows a local attacker to cause a Buffer Overflow by changing the `session.dnn` field with a value with length greater than 101.
Severity CVSS v4.0: Pending analysis
Last modification:
09/07/2025

CVE-2025-44951
Publication date:
18/06/2025
A missing length check in `ogs_pfcp_dev_add` function from PFCP library, used by both smf and upf in open5gs 2.7.2 and earlier, allows a local attacker to cause a Buffer Overflow by changing the `session.dev` field with a value with length greater than 32.
Severity CVSS v4.0: Pending analysis
Last modification:
09/07/2025

CVE-2024-54183
Publication date:
18/06/2025
IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.0.0.0 through 6.1.2.6 and 6.2.0.0 through 6.2.0.4 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Severity CVSS v4.0: Pending analysis
Last modification:
23/06/2025

CVE-2025-6240
Publication date:
18/06/2025
Improper Input Validation vulnerability in Profisee on Windows (filesystem modules) allows Path Traversal after authentication to the Profisee system.This issue affects Profisee: from 2020R1 before 2024R2.
Severity CVSS v4.0: MEDIUM
Last modification:
23/06/2025

CVE-2025-46109
Publication date:
18/06/2025
SQL Injection vulnerability in pbootCMS v.3.2.5 and v.3.2.10 allows a remote attacker to obtain sensitive information via a crafted GET request
Severity CVSS v4.0: Pending analysis
Last modification:
26/06/2025

CVE-2025-45786
Publication date:
18/06/2025
Real Estate Management 1.0 is vulnerable to Cross Site Scripting (XSS) in /store/index.php.
Severity CVSS v4.0: Pending analysis
Last modification:
09/07/2025
Subscribe to Vulnerabilities