Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-39964

Publication date:

13/10/2025

In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg Issuing two writes to the same af_alg socket is bogus as the data will be interleaved in an unpredictable fashion. Furthermore, concurrent writes may create inconsistencies in the internal socket state. Disallow this by adding a new ctx->write field that indiciates exclusive ownership for writing.

Severity CVSS v4.0: Pending analysis

Last modification:

26/02/2026

CVE-2025-6919

Publication date:

13/10/2025

Improper Neutralization of Special Elements used in an SQL Command (&#39;SQL Injection&#39;) vulnerability in Cats Information Technology Software Development Technologies Aykome License Tracking System allows SQL Injection.This issue affects Aykome License Tracking System: before Version dated 06.10.2025.

Severity CVSS v4.0: Pending analysis

Last modification:

15/04/2026

CVE-2025-9902

Publication date:

13/10/2025

Authorization Bypass Through User-Controlled Key vulnerability in AKIN Software Computer Import Export Industry and Trade Co. Ltd. QRMenu allows Privilege Abuse.This issue affects QRMenu: from 1.05.12 before Version dated 05.09.2025.

Severity CVSS v4.0: Pending analysis

Last modification:

15/04/2026

CVE-2025-11184

Publication date:

13/10/2025

Cross-site scripting vulnerability in QGIS QWC2 Registration GUI

Severity CVSS v4.0: MEDIUM

Last modification:

15/04/2026

CVE-2025-9336

Publication date:

13/10/2025

A stack buffer overflow has been identified in the AsIO3.sys driver. This vulnerability can be triggered by input manipulation, may leading to a system crash (BSOD) or other potentially undefined execution. Refer to the &#39;Security Update for Armoury Crate App&#39; section on the ASUS Security Advisory for more information.

Severity CVSS v4.0: MEDIUM

Last modification:

15/04/2026

CVE-2025-9337

Publication date:

13/10/2025

A null pointer dereference has been identified in the AsIO3.sys driver. The vulnerability can be triggered by a specially crafted input, which may lead to a system crash (BSOD). Refer to the &#39;Security Update for Armoury Crate App&#39; section on the ASUS Security Advisory for more information.

Severity CVSS v4.0: MEDIUM

Last modification:

15/04/2026

CVE-2025-10720

Publication date:

13/10/2025

The WP Private Content Plus through 3.6.2 provides a global content protection feature that requires a password. However, the access control check is based only on the presence of an unprotected client-side cookie. As a result, an unauthenticated attacker can completely bypass the password protection by manually setting the cookie value in their browser.

Severity CVSS v4.0: Pending analysis

Last modification:

15/04/2026

CVE-2025-11183

Publication date:

13/10/2025

Cross-Site Scripting vulnerability in attribute table in QGIS QWC2

Severity CVSS v4.0: MEDIUM

Last modification:

15/04/2026

CVE-2025-9968

Publication date:

13/10/2025

A link following vulnerability exists in the UnifyScanner component of Armoury Crate. This vulnerability may be triggered by creating a specially crafted junction, potentially leading to local privilege escalation. For more information, please refer to section &#39;Security Update for Armoury Crate App&#39; in the ASUS Security Advisory.

Severity CVSS v4.0: HIGH

Last modification:

15/04/2026

CVE-2025-11675

Publication date:

13/10/2025

Enterprise Cloud Database developed by Ragic has an Arbitrary File Upload vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.

Severity CVSS v4.0: HIGH

Last modification:

15/04/2026

CVE-2025-9976

Publication date:

13/10/2025

An OS Command Injection vulnerability affecting Station Launcher App in 3DEXPERIENCE platform from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2025x could allow an attacker to execute arbitrary code on the user&#39;s machine.

Severity CVSS v4.0: Pending analysis

Last modification:

15/04/2026

CVE-2025-11671

Publication date:

13/10/2025

Uniweb/SoliPACS WebServer developed by EBM Technologies has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to access a specific page to obtain information such as account names and IP addresses.

Severity CVSS v4.0: MEDIUM

Last modification:

15/04/2026

Subscribe to Vulnerabilities