Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-8894
Publication date:
16/09/2025
A maliciously crafted PDF file, when parsed through certain Autodesk products, can force a Heap-Based Overflow vulnerability. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process.
Severity CVSS v4.0: Pending analysis
Last modification:
19/09/2025

CVE-2025-56280
Publication date:
16/09/2025
code-projects Food Ordering Review System 1.0 is vulnerable to Cross Site Scripting (XSS) in the area where users submit reservation information.
Severity CVSS v4.0: Pending analysis
Last modification:
18/09/2025

CVE-2025-56289
Publication date:
16/09/2025
code-projects Document Management System 1.0 has a Cross Site Scripting (XSS) vulnerability, where attackers can leak admin's cookie information by entering malicious XSS code in the Company field when adding files.
Severity CVSS v4.0: Pending analysis
Last modification:
18/09/2025

CVE-2025-56293
Publication date:
16/09/2025
code-projects Human Resource Integrated System 1.0 is vulnerable to Cross Site Scripting (XSS) in the Add Child Information section in the Childs Name field.
Severity CVSS v4.0: Pending analysis
Last modification:
23/10/2025

CVE-2025-56295
Publication date:
16/09/2025
code-projects Computer Laboratory System 1.0 has a file upload vulnerability. Staff can upload malicious files by uploading PHP backdoor files when modifying personal avatar information and use web shell connection tools to obtain server permissions.
Severity CVSS v4.0: Pending analysis
Last modification:
18/09/2025

CVE-2025-4953
Publication date:
16/09/2025
A flaw was found in Podman. In a Containerfile or Podman, data written to RUN --mount=type=bind mounts during the podman build is not discarded. This issue can lead to files created within the container appearing in the temporary build context directory on the host, leaving the created files accessible.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-36244
Publication date:
16/09/2025
IBM AIX 7.2, 7.3, IBM VIOS 3.1, and 4.1, when configured to use Kerberos network authentication, could allow a local user to write to files on the system with root privileges due to improper initialization of critical variables.
Severity CVSS v4.0: Pending analysis
Last modification:
17/10/2025

CVE-2025-41243
Publication date:
16/09/2025
Spring Cloud Gateway Server Webflux may be vulnerable to Spring Environment property modification.<br /> <br /> An application should be considered vulnerable when all the following are true:<br /> <br /> * The application is using Spring Cloud Gateway Server Webflux (Spring Cloud Gateway Server WebMVC is not vulnerable).<br /> * Spring Boot actuator is a dependency.<br /> * The Spring Cloud Gateway Server Webflux actuator web endpoint is enabled via management.endpoints.web.exposure.include=gateway.<br /> * The actuator endpoints are available to attackers.<br /> * The actuator endpoints are unsecured.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2019-25163
Publication date:
16/09/2025
Rejected reason: ** REJECT ** DO NOT USE THIS CVE RECORD. ConsultIDs: none. Reason: This record was in a CNA pool that was not assigned to any issues during 2019. Notes: none.
Severity CVSS v4.0: Pending analysis
Last modification:
16/09/2025

CVE-2009-20007
Publication date:
16/09/2025
Talkative IRC v0.4.4.16 is vulnerable to a stack-based buffer overflow when processing specially crafted response strings sent to a connected client. An attacker can exploit this flaw by sending an overly long message that overflows a fixed-length buffer, potentially leading to arbitrary code execution in the context of the vulnerable process. This vulnerability is exploitable remotely and does not require authentication.
Severity CVSS v4.0: CRITICAL
Last modification:
15/04/2026

CVE-2024-13149
Publication date:
16/09/2025
Improper Neutralization of Special Elements used in an SQL Command (&amp;#39;SQL Injection&amp;#39;), CWE - 200 - Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Arma Store Armalife allows SQL Injection.This issue affects Armalife: through 20250916. <br /> <br /> NOTE: The vendor did not inform about the completion of the fixing process within the specified time. The CVE will be updated when new information becomes available.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2024-13174
Publication date:
16/09/2025
Improper Neutralization of Special Elements used in an SQL Command (&amp;#39;SQL Injection&amp;#39;) vulnerability in E1 Informatics Web Application allows SQL Injection.This issue affects Web Application: through 20250916. <br /> <br /> NOTE: The vendor did not inform about the completion of the fixing process within the specified time. The CVE will be updated when new information becomes available.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026
Subscribe to Vulnerabilities