Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-53826

Publication date:

15/07/2025

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename, and edit files. In version 2.39.0, File Browser’s authentication system issues long-lived JWT tokens that remain valid even after the user logs out. As of time of publication, no known patches exist.

Severity CVSS v4.0: HIGH

Last modification:

05/08/2025

CVE-2025-53893

Publication date:

15/07/2025

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename, and edit files. In version 2.38.0, a Denial of Service (DoS) vulnerability exists in the file processing logic when reading a file on endpoint `Filebrowser-Server-IP:PORT/files/{file-name}` . While the server correctly handles and stores uploaded files, it attempts to load the entire content into memory during read operations without size checks or resource limits. This allows an authenticated user to upload a large file and trigger uncontrolled memory consumption on read, potentially crashing the server and making it unresponsive. As of time of publication, no known patches are available.

Severity CVSS v4.0: HIGH

Last modification:

05/08/2025

CVE-2025-7656

Publication date:

15/07/2025

Integer overflow in V8 in Google Chrome prior to 138.0.7204.157 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Severity CVSS v4.0: Pending analysis

Last modification:

16/07/2025

CVE-2025-7657

Publication date:

15/07/2025

Use after free in WebRTC in Google Chrome prior to 138.0.7204.157 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Severity CVSS v4.0: Pending analysis

Last modification:

16/07/2025

CVE-2025-6558

Publication date:

15/07/2025

Insufficient validation of untrusted input in ANGLE and GPU in Google Chrome prior to 138.0.7204.157 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Severity CVSS v4.0: Pending analysis

Last modification:

06/11/2025

CVE-2025-53959

Publication date:

15/07/2025

In JetBrains YouTrack before 2025.2.86069, <br /> 2024.3.85077, <br /> 2025.1.86199 email spoofing via an administrative API was possible

Severity CVSS v4.0: Pending analysis

Last modification:

14/10/2025

CVE-2025-53895

Publication date:

15/07/2025

ZITADEL is an open source identity management system. Starting in version 2.53.0 and prior to versions 4.0.0-rc.2, 3.3.2, 2.71.13, and 2.70.14, vulnerability in ZITADEL&#39;s session management API allows any authenticated user to update a session if they know its ID, due to a missing permission check. This flaw enables session hijacking, allowing an attacker to impersonate another user and access sensitive resources. Versions prior to `2.53.0` are not affected, as they required the session token for updates. Versions 4.0.0-rc.2, 3.3.2, 2.71.13, and 2.70.14 fix the issue.

Severity CVSS v4.0: HIGH

Last modification:

26/08/2025

CVE-2025-26186

Publication date:

15/07/2025

SQL Injection vulnerability in openSIS v.9.1 allows a remote attacker to execute arbitrary code via the id parameter in Ajax.php

Severity CVSS v4.0: Pending analysis

Last modification:

17/07/2025

CVE-2025-50819

Publication date:

15/07/2025

Directory traversal vulnerability in beiyuouo arxiv-daily thru 2025-05-06 (commit fad168770b0e68aef3e5acfa16bb2e7a7765d687) when parsing the the topic.yml file in the generation logic in daily_arxiv.py.

Severity CVSS v4.0: Pending analysis

Last modification:

15/07/2025

CVE-2025-52080

Publication date:

15/07/2025

In Netgear XR300 V1.0.3.38_10.3.30, a stack-based buffer overflow vulnerability exists in the HTTPD service through the usb_device.cgi endpoint. The vulnerability occurs when processing POST requests containing the share_name parameter.

Severity CVSS v4.0: Pending analysis

Last modification:

11/08/2025

CVE-2025-52081

Publication date:

15/07/2025

Severity CVSS v4.0: Pending analysis

Last modification:

12/08/2025

CVE-2025-52082

Publication date:

15/07/2025

In Netgear XR300 V1.0.3.38_10.3.30, a stack-based buffer overflow exists in the HTTPD service through the usb_device.cgi endpoint. The vulnerability occurs when processing POST requests containing the read_access parameter.

Severity CVSS v4.0: Pending analysis

Last modification:

11/08/2025

Subscribe to Vulnerabilities