Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-48082
Publication date:
22/10/2025
Incorrect Privilege Assignment vulnerability in Progress Planner Progress Planner progress-planner allows Privilege Escalation.This issue affects Progress Planner: from n/a through
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-48091
Publication date:
22/10/2025
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Alexander AnyComment anycomment allows SQL Injection.This issue affects AnyComment: from n/a through
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-48092
Publication date:
22/10/2025
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jurajpuchky Fix Multiple Redirects fix-multiple-redirects allows Reflected XSS.This issue affects Fix Multiple Redirects: from n/a through
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-11965
Publication date:
22/10/2025
In Eclipse Vert.x versions [4.0.0, 4.5.21] and [5.0.0, 5.0.4], a StaticHandler configuration for restricting access to hidden files fails to restrict access to hidden directories, allowing unauthorized users to retrieve files within them (e.g. '.git/config').
Severity CVSS v4.0: MEDIUM
Last modification:
16/01/2026

CVE-2025-11966
Publication date:
22/10/2025
In Eclipse Vert.x versions [4.0.0, 4.5.21] and [5.0.0, 5.0.4], when "directory listing" is enabled, file and directory names are inserted into generated HTML without proper escaping in the href, title, and link attributes. An attacker who can create or rename files or directories within a served path can craft filenames containing malicious script or HTML content, leading to stored cross-site scripting (XSS) that executes in the context of users viewing the affected directory listing.
Severity CVSS v4.0: LOW
Last modification:
20/01/2026

CVE-2016-15048
Publication date:
22/10/2025
AMTT Hotel Broadband Operation System (HiBOS) contains an unauthenticated command injection vulnerability in the /manager/radius/server_ping.php endpoint. The application constructs a shell command that includes the user-supplied ip parameter and executes it without proper validation or escaping. An attacker can insert shell metacharacters into the ip parameter to inject and execute arbitrary system commands as the web server user. The initial third-party disclosure in 2016 recommended contacting the vendor for remediation guidance. Additionally, this product may have been rebranded under a different name. VulnCheck has observed this vulnerability being exploited in the wild as of 2025-10-14 at 04:45:53.510819 UTC.
Severity CVSS v4.0: CRITICAL
Last modification:
31/12/2025

CVE-2025-8848
Publication date:
22/10/2025
A vulnerability in danny-avila/librechat version 0.7.9 allows for HTML injection via the Accept-Language header. When a logged-in user sends an HTTP GET request with a crafted Accept-Language header, arbitrary HTML can be injected into the tag of the response. This can lead to potential security risks such as cross-site scripting (XSS) attacks.
Severity CVSS v4.0: Pending analysis
Last modification:
30/10/2025

CVE-2025-61035
Publication date:
22/10/2025
The seffaflik thru 0.0.9 is vulnerable to symlink attacks due to incorrect default permissions given to the .kimlik file and .seffaflik file, which is created with mode 0777 and 0775 respectively, exposing secrets to other local users. Additionally, the .kimlik file is written without symlink checks, allowing local attackers to overwrite arbitrary files. This can result in information disclosure and denial of service.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-56447
Publication date:
22/10/2025
TM2 Monitoring v3.04 contains an authentication bypass and plaintext credential disclosure.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-11844
Publication date:
22/10/2025
Hugging Face Smolagents version 1.20.0 contains an XPath injection vulnerability in the search_item_ctrl_f function located in src/smolagents/vision_web_browser.py. The function constructs an XPath query by directly concatenating user-supplied input into the XPath expression without proper sanitization or escaping. This allows an attacker to inject malicious XPath syntax that can alter the intended query logic. The vulnerability enables attackers to bypass search filters, access unintended DOM elements, and disrupt web automation workflows. This can lead to information disclosure, manipulation of AI agent interactions, and compromise the reliability of automated web tasks. The issue is fixed in version 1.22.0.
Severity CVSS v4.0: Pending analysis
Last modification:
30/10/2025

CVE-2025-11750
Publication date:
22/10/2025
In langgenius/dify-web version 1.6.0, the authentication mechanism reveals the existence of user accounts by returning different error messages for non-existent and existing accounts. Specifically, when a login or registration attempt is made with a non-existent username or email, the system responds with a message such as "account not found." Conversely, when the username or email exists but the password is incorrect, a different error message is returned. This discrepancy allows an attacker to enumerate valid user accounts by analyzing the error responses, potentially facilitating targeted social engineering, brute force, or credential stuffing attacks.
Severity CVSS v4.0: Pending analysis
Last modification:
30/10/2025

CVE-2023-53728
Publication date:
22/10/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> posix-timers: Ensure timer ID search-loop limit is valid<br /> <br /> posix_timer_add() tries to allocate a posix timer ID by starting from the<br /> cached ID which was stored by the last successful allocation.<br /> <br /> This is done in a loop searching the ID space for a free slot one by<br /> one. The loop has to terminate when the search wrapped around to the<br /> starting point.<br /> <br /> But that&amp;#39;s racy vs. establishing the starting point. That is read out<br /> lockless, which leads to the following problem:<br /> <br /> CPU0 CPU1<br /> posix_timer_add()<br /> start = sig-&gt;posix_timer_id;<br /> lock(hash_lock);<br /> ... posix_timer_add()<br /> if (++sig-&gt;posix_timer_id posix_timer_id;<br /> sig-&gt;posix_timer_id = 0;<br /> <br /> So CPU1 can observe a negative start value, i.e. -1, and the loop break<br /> never happens because the condition can never be true:<br /> <br /> if (sig-&gt;posix_timer_id == start)<br /> break;<br /> <br /> While this is unlikely to ever turn into an endless loop as the ID space is<br /> huge (INT_MAX), the racy read of the start value caught the attention of<br /> KCSAN and Dmitry unearthed that incorrectness.<br /> <br /> Rewrite it so that all id operations are under the hash lock.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026
Subscribe to Vulnerabilities