Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-36851
Publication date:
25/09/2025
Rob -- W / cors-anywhere instances configured as an open proxy allow unauthenticated external users to induce the server to make HTTP requests to arbitrary targets (SSRF). Because the proxy forwards requests and headers, an attacker can reach internal-only endpoints and link-local metadata services, retrieve instance role credentials or other sensitive metadata, and interact with internal APIs and services that are not intended to be internet-facing. The vulnerability is exploitable by sending crafted requests to the proxy with the target resource encoded in the URL; many cors-anywhere deployments forward arbitrary methods and headers (including PUT), which can permit exploitation of IMDSv2 workflows as well as access to internal management APIs. Successful exploitation can result in theft of cloud credentials, unauthorized access to internal services, remote code execution or privilege escalation (depending on reachable backends), data exfiltration, and full compromise of cloud resources. Mitigation includes: restricting the proxy to trusted origins or authentication, whitelisting allowed target hosts, preventing access to link-local and internal IP ranges, removing support for unsafe HTTP methods/headers, enabling cloud provider mitigations, and deploying network-level protections.
Severity CVSS v4.0: CRITICAL
Last modification:
26/09/2025

CVE-2025-5494
Publication date:
25/09/2025
ZohoCorp ManageEngine Endpoint Central was impacted by an improper privilege management issue in the agent setup.<br /> <br /> This issue affects Endpoint Central: through 11.4.2500.25, through 11.4.2508.13.
Severity CVSS v4.0: Pending analysis
Last modification:
22/10/2025

CVE-2025-59831
Publication date:
25/09/2025
git-commiters is a Node.js function module providing committers stats for their git repository. Prior to version 0.1.2, there is a command injection vulnerability in git-commiters. This vulnerability manifests with the library&amp;#39;s primary exported API: gitCommiters(options, callback) which allows specifying options such as cwd for current working directory and revisionRange as a revision pointer, such as HEAD. However, the library does not sanitize for user input or practice secure process execution API to separate commands from their arguments and as such, uncontrolled user input is concatenated into command execution. This issue has been patched in version 0.1.2.
Severity CVSS v4.0: HIGH
Last modification:
16/10/2025

CVE-2025-59834
Publication date:
25/09/2025
ADB MCP Server is a MCP (Model Context Protocol) server for interacting with Android devices through ADB. In versions 0.1.0 and prior, the MCP Server is written in a way that is vulnerable to command injection vulnerability attacks as part of some of its MCP Server tool definition and implementation. This issue has been patched via commit 041729c.
Severity CVSS v4.0: Pending analysis
Last modification:
14/10/2025

CVE-2025-59839
Publication date:
25/09/2025
The EmbedVideo Extension is a MediaWiki extension which adds a parser function called #ev and various parser tags for embedding video clips from various video sharing services. In versions 4.0.0 and prior, the EmbedVideo extension allows adding arbitrary attributes to an HTML element, allowing for stored XSS through wikitext. This issue has been patched via commit 4e075d3.
Severity CVSS v4.0: Pending analysis
Last modification:
14/10/2025

CVE-2025-59426
Publication date:
25/09/2025
Lobe Chat is an open-source artificial intelligence chat framework. Prior to version 1.130.1, the project&amp;#39;s OIDC redirect handling logic constructs the host and protocol of the final redirect URL based on the X-Forwarded-Host or Host headers and the X-Forwarded-Proto value. In deployments where a reverse proxy forwards client-supplied X-Forwarded-* headers to the origin as-is, or where the origin trusts them without validation, an attacker can inject an arbitrary host and trigger an open redirect that sends users to a malicious domain. This issue has been patched in version 1.130.1.
Severity CVSS v4.0: Pending analysis
Last modification:
08/10/2025

CVE-2025-59422
Publication date:
25/09/2025
Dify is an open-source LLM app development platform. In version 1.8.1, a broken access control vulnerability on the /console/api/apps/chat-messages?conversation_id=&amp;limit=10 endpoint allows users in the same workspace to read chat messages of other users. A regular user is able to read the query data and the filename of the admins and probably other users chats, if they know the conversation_id. This impacts the confidentiality of chats. This issue has been patched in version 1.9.0.
Severity CVSS v4.0: MEDIUM
Last modification:
14/10/2025

CVE-2025-27261
Publication date:
25/09/2025
Ericsson Indoor Connect 8855 contains an SQL injection vulnerability which if exploited can result in unauthorized disclosure or modification of data.
Severity CVSS v4.0: HIGH
Last modification:
02/10/2025

CVE-2025-57317
Publication date:
25/09/2025
apidoc-core is the core parser library to generate apidoc result following the apidoc-spec. A Prototype Pollution vulnerability in the preProcess function of apidoc-core versions thru 0.15.0 allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.
Severity CVSS v4.0: Pending analysis
Last modification:
16/10/2025

CVE-2025-26278
Publication date:
25/09/2025
A prototype pollution in the lib.set function of dref v0.1.2 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
Severity CVSS v4.0: Pending analysis
Last modification:
26/09/2025

CVE-2025-10948
Publication date:
25/09/2025
A vulnerability has been found in MikroTik RouterOS 7. This affects the function parse_json_element of the file /rest/ip/address/print of the component libjson.so. The manipulation leads to buffer overflow. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 7.20.1 and 7.21beta2 mitigates this issue. You should upgrade the affected component. The vendor replied: "Our bug tracker reports that your issue has been fixed. This means that we plan to release a RouterOS update with this fix. Make sure to upgrade to the next release when it comes out."
Severity CVSS v4.0: HIGH
Last modification:
13/10/2025

CVE-2025-10540
Publication date:
25/09/2025
iMonitor EAM 9.6394 transmits communication between the EAM client agent and the EAM server, as well as between the EAM monitor management software and the server, in plaintext without authentication or encryption. An attacker with network access can intercept sensitive information (such as credentials, keylogger data, and personally identifiable information) and tamper with traffic. This allows both unauthorized disclosure and modification of data, including issuing arbitrary commands to client agents.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025
Subscribe to Vulnerabilities