Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-4131
Publication date:
21/08/2025
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Severity CVSS v4.0: Pending analysis
Last modification:
21/08/2025

CVE-2023-4143
Publication date:
21/08/2025
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Severity CVSS v4.0: Pending analysis
Last modification:
21/08/2025

CVE-2023-3948
Publication date:
21/08/2025
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Severity CVSS v4.0: Pending analysis
Last modification:
21/08/2025

CVE-2025-51606
Publication date:
21/08/2025
hippo4j 1.0.0 to 1.5.0, uses a hard-coded secret key in its JWT (JSON Web Token) creation. This allows attackers with access to the source code or compiled binary to forge valid access tokens and impersonate any user, including privileged ones such as "admin". The vulnerability poses a critical security risk in systems where authentication and authorization rely on the integrity of JWTs.
Severity CVSS v4.0: Pending analysis
Last modification:
22/08/2025

CVE-2025-43747
Publication date:
21/08/2025
A server-side request forgery (SSRF) vulnerability exists in the Liferay DXP 2025.Q2.0 through 2025.Q2.3 due to insecure domain validation on analytics.cloud.domain.allowed, allowing an attacker to perform requests by change the domain and bypassing the validation method, this insecure validation is not distinguishing between trusted subdomains and malicious domains.
Severity CVSS v4.0: MEDIUM
Last modification:
12/12/2025

CVE-2010-20114
Publication date:
21/08/2025
VariCAD EN up to and including version 2010-2.05 is vulnerable to a stack-based buffer overflow when parsing .dwb drawing files. The application fails to properly validate the length of input data embedded in the file, allowing a crafted .dwb file to overwrite critical memory structures. This flaw can be exploited locally by convincing a user to open a malicious file, resulting in arbitrary code execution.
Severity CVSS v4.0: HIGH
Last modification:
22/08/2025

CVE-2010-20115
Publication date:
21/08/2025
Arcane Software’s Vermillion FTP Daemon (vftpd) versions up to and including 1.31 contains a memory corruption vulnerability triggered by a malformed FTP PORT command. The flaw arises from an out-of-bounds array access during input parsing, allowing an attacker to manipulate stack memory and potentially execute arbitrary code. Exploitation requires direct access to the FTP service and is constrained by a single execution attempt if the daemon is installed as a Windows service.
Severity CVSS v4.0: CRITICAL
Last modification:
22/08/2025

CVE-2010-20120
Publication date:
21/08/2025
Maple versions up to and including 13's Maplet framework allows embedded commands to be executed automatically when a .maplet file is opened. This behavior bypasses standard security restrictions that normally prevent code execution in regular Maple worksheets. The vulnerability enables attackers to craft malicious .maplet files that execute arbitrary code without user interaction.
Severity CVSS v4.0: HIGH
Last modification:
22/08/2025

CVE-2010-20122
Publication date:
21/08/2025
Xftp FTP Client version up to and including 3.0 (build 0238) contain a stack-based buffer overflow vulnerability triggered by a maliciously crafted PWD response from an FTP server. When the client connects to a server and receives an overly long directory string in response to the PWD command, the client fails to properly validate the length of the input before copying it into a fixed-size buffer. This results in memory corruption and allows remote attackers to execute arbitrary code on the client system.
Severity CVSS v4.0: CRITICAL
Last modification:
22/08/2025

CVE-2010-20123
Publication date:
21/08/2025
Steinberg MyMP3Player version 3.0 (build 3.0.0.67) is vulnerable to a stack-based buffer overflow when parsing .m3u playlist files. The application fails to properly validate the length of input data within the playlist, allowing a specially crafted file to overwrite critical memory structures and execute arbitrary code. This vulnerability can be exploited locally by convincing a user to open a malicious .m3u file.
Severity CVSS v4.0: HIGH
Last modification:
22/08/2025

CVE-2009-20004
Publication date:
21/08/2025
gAlan 0.2.1, a modular audio processing environment for Windows, is vulnerable to a stack-based buffer overflow when parsing .galan files. The application fails to properly validate the length of input data, allowing a specially crafted file to overwrite the stack and execute arbitrary code. Exploitation requires local interaction, typically by convincing a user to open the malicious file.
Severity CVSS v4.0: HIGH
Last modification:
22/08/2025

CVE-2010-20007
Publication date:
21/08/2025
Seagull FTP Client
Severity CVSS v4.0: HIGH
Last modification:
22/08/2025
Subscribe to Vulnerabilities