Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-9925

Publication date:

03/09/2025

A vulnerability was found in projectworlds Travel Management System 1.0. This issue affects some unknown processing of the file /detail.php. The manipulation of the argument pid results in sql injection. The attack can be executed remotely. The exploit has been made public and could be used.

Severity CVSS v4.0: MEDIUM

Last modification:

29/04/2026

CVE-2025-9926

Publication date:

03/09/2025

A vulnerability was determined in projectworlds Travel Management System 1.0. Impacted is an unknown function of the file /viewsubcategory.php. This manipulation of the argument t1 causes sql injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized.

Severity CVSS v4.0: MEDIUM

Last modification:

29/04/2026

CVE-2025-9365

Publication date:

03/09/2025

Fuji Electric FRENIC-Loader 4 is vulnerable to a deserialization of untrusted data when importing a file through a specified window, which may allow an attacker to execute arbitrary code.

Severity CVSS v4.0: HIGH

Last modification:

15/04/2026

CVE-2025-56139

Publication date:

03/09/2025

LinkedIn Mobile Application for Android version 4.1.1087.2 fails to update link preview metadata (image, title, description) when a user replaces the original URL in a post or comment before publishing. As a result, the stale preview remains visible while the clickable link points to a different URL, which can be malicious. This UI misrepresentation enables attackers to deceive users by displaying trusted previews for harmful links, facilitating phishing attacks and user confusion.

Severity CVSS v4.0: Pending analysis

Last modification:

08/09/2025

CVE-2025-53690

Publication date:

03/09/2025

Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Code Injection.This issue affects Experience Manager (XM): through 9.0; Experience Platform (XP): through 9.0.

Severity CVSS v4.0: Pending analysis

Last modification:

30/10/2025

CVE-2025-55162

Publication date:

03/09/2025

Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In versions below 1.32.10 and 1.33.0 through 1.33.6, 1.34.0 through 1.34.4 and 1.35.0, insufficient Session Expiration in the Envoy OAuth2 filter leads to failed logout operations. When configured with __Secure- or __Host- prefixed cookie names, the filter fails to append the required Secure attribute to the Set-Cookie header during deletion. Modern browsers ignore this invalid request, causing the session cookie to persist. This allows a user to remain logged in after they believe they have logged out, creating a session hijacking risk on shared computers. The current implementation iterates through the configured cookie names to generate deletion headers but does not check for these prefixes. This failure to properly construct the deletion header means the user&#39;s session cookies are never removed by the browser, leaving the session active and allowing the next user of the same browser to gain unauthorized access to the original user&#39;s account and data. This is fixed in versions 1.32.10, 1.33.7, 1.34.5 and 1.35.1.

Severity CVSS v4.0: Pending analysis

Last modification:

08/09/2025

CVE-2025-9923

Publication date:

03/09/2025

A flaw has been found in Campcodes Sales and Inventory System 1.0. This affects an unknown part of the file /index.php. Executing manipulation of the argument page can lead to cross site scripting. The attack may be launched remotely. The exploit has been published and may be used.

Severity CVSS v4.0: LOW

Last modification:

29/04/2026

CVE-2025-9924

Publication date:

03/09/2025

A vulnerability has been found in projectworlds Travel Management System 1.0. This vulnerability affects unknown code of the file /enquiry.php. The manipulation of the argument t2 leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used.

Severity CVSS v4.0: MEDIUM

Last modification:

29/04/2026

CVE-2025-36193

Publication date:

03/09/2025

IBM Transformation Advisor 2.0.1 through 4.3.1 incorrectly assigns privileges to security critical files which could allow a local root escalation inside a container running the IBM Transformation Advisor Operator Catalog image.

Severity CVSS v4.0: Pending analysis

Last modification:

29/09/2025

CVE-2025-52494

Publication date:

03/09/2025

Adacore Ada Web Server (AWS) before 25.2 is vulnerable to a denial-of-service (DoS) condition due to improper handling of SSL handshakes during connection initialization. When a client initiates an HTTPS connection, the server performs the SSL handshake before assigning the connection to a processing slot. However, there is no specific timeout set for this phase, and the server uses the default socket timeout, which is effectively infinite. An attacker can exploit this by sending a malformed TLS ClientHello message with incorrect length values. This causes the server to wait indefinitely for data that never arrives, blocking the worker thread (Line) handling the connection. By opening multiple such connections, up to the server&#39;s maximum limit, the attacker can exhaust all available working threads, preventing the server from handling new, legitimate requests.

Severity CVSS v4.0: Pending analysis

Last modification:

08/09/2025

CVE-2025-56752

Publication date:

03/09/2025

A vulnerability in the Ruijie RG-ES series switch firmware ESW_1.0(1)B1P39 enables remote attackers to fully bypass authentication mechanisms, providing them with unrestricted access to alter administrative settings and potentially seize control of affected devices via crafted HTTP POST request to /user.cgi.

Severity CVSS v4.0: Pending analysis

Last modification:

29/09/2025

CVE-2025-56803

Publication date:

03/09/2025

Figma Desktop for Windows version 125.6.5 contains a command injection vulnerability in the local plugin loader. An attacker can execute arbitrary OS commands by setting a crafted build field in the plugin&#39;s manifest.json. This field is passed to child_process.exec without validation, leading to possible RCE. NOTE: this is disputed by the Supplier because the behavior only allows a local user to attack himself via a local plugin. The local build procedure, which is essential to the attack, is not executed for plugins shared to the Figma Community.

Severity CVSS v4.0: Pending analysis

Last modification:

26/09/2025

Subscribe to Vulnerabilities