Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-53203

Publication date:
27/06/2025
Cross-Site Request Forgery (CSRF) vulnerability in EDGARROJAS WooCommerce PDF Invoice Builder allows Cross Site Request Forgery. This issue affects WooCommerce PDF Invoice Builder: from n/a through 1.2.148.
Severity CVSS v4.0: Pending analysis
Last modification:
30/06/2025

CVE-2025-53206

Publication date:
27/06/2025
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HT Plugins HT Mega – Absolute Addons for WPBakery Page Builder allows Stored XSS. This issue affects HT Mega – Absolute Addons for WPBakery Page Builder: from n/a through 1.0.8.
Severity CVSS v4.0: Pending analysis
Last modification:
30/06/2025

CVE-2025-52993

Publication date:
27/06/2025
A race condition in the Nix, Lix, and Guix package managers enables changing the ownership of arbitrary files to the UID and GID of the build user (e.g., nixbld* or guixbuild*). This affects Nix before 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix before 2.91.2, 2.92.2, and 2.93.1; and Guix before 1.4.0-38.0e79d5b.
Severity CVSS v4.0: Pending analysis
Last modification:
30/06/2025

CVE-2025-53193

Publication date:
27/06/2025
Cross-Site Request Forgery (CSRF) vulnerability in Burst Statistics B.V. Burst Statistics allows Cross Site Request Forgery. This issue affects Burst Statistics: from n/a through 2.0.6.
Severity CVSS v4.0: Pending analysis
Last modification:
30/06/2025

CVE-2025-53197

Publication date:
27/06/2025
Cross-Site Request Forgery (CSRF) vulnerability in cookiebot Cookiebot allows Cross Site Request Forgery. This issue affects Cookiebot: from n/a through 4.5.8.
Severity CVSS v4.0: Pending analysis
Last modification:
30/06/2025

CVE-2025-52991

Publication date:
27/06/2025
The Nix, Lix, and Guix package managers default to using temporary build directories in a world-readable and world-writable location. This allows standard users to deceive the package manager into using directories with pre-existing content, potentially leading to unauthorized actions or data manipulation. This affects Nix before 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix before 2.91.2, 2.92.2, and 2.93.1; and Guix before 1.4.0-38.0e79d5b.
Severity CVSS v4.0: Pending analysis
Last modification:
30/06/2025

CVE-2025-52992

Publication date:
27/06/2025
The Nix, Lix, and Guix package managers fail to properly set permissions when a derivation build fails. This may allow arbitrary processes to modify the content of a store outside of the build sandbox. This affects Nix before 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix before 2.91.2, 2.92.2, and 2.93.1; and Guix before 1.4.0-38.0e79d5b.
Severity CVSS v4.0: Pending analysis
Last modification:
30/06/2025

CVE-2025-50528

Publication date:
27/06/2025
A buffer overflow vulnerability exists in the fromNatStaticSetting function of Tenda AC6
Severity CVSS v4.0: Pending analysis
Last modification:
01/07/2025

CVE-2025-46416

Publication date:
27/06/2025
The Nix, Lix, and Guix package managers allow a bypass of build isolation in which a user can elevate their privileges to the build user account (e.g., nixbld or guixbuild). This affects Nix through 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix through 2.91.2, 2.92.2, and 2.93.1; and Guix before 1.4.0-38.0e79d5b.
Severity CVSS v4.0: Pending analysis
Last modification:
30/06/2025

CVE-2025-44163

Publication date:
27/06/2025
RaspAP raspap-webgui 3.3.1 is vulnerable to Directory Traversal in ajax/networking/get_wgkey.php. An authenticated attacker can send a crafted POST request with a path traversal payload in the `entity` parameter to overwrite arbitrary files writable by the web server via abuse of the `tee` command used in shell execution.
Severity CVSS v4.0: Pending analysis
Last modification:
30/06/2025

CVE-2025-46415

Publication date:
27/06/2025
A race condition in the Nix, Lix, and Guix package managers allows the removal of content from arbitrary folders. This affects Nix before 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix before 2.91.2, 2.92.2, and 2.93.1; and Guix before 1.4.0-38.0e79d5b.
Severity CVSS v4.0: Pending analysis
Last modification:
30/06/2025

CVE-2025-45729

Publication date:
27/06/2025
D-Link DIR-823-Pro 1.02 has improper permission control, allowing unauthorized users to turn on and access Telnet services.
Severity CVSS v4.0: Pending analysis
Last modification:
01/07/2025