Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2014-125115
Publication date:
25/07/2025
An unauthenticated SQL injection vulnerability exists in Pandora FMS version 5.0 SP2 and earlier. The mobile/index.php endpoint fails to properly sanitize user input in the loginhash_data parameter, allowing attackers to extract administrator credentials or active session tokens via crafted requests. This occurs because input is directly concatenated into an SQL query without adequate validation, enabling SQL injection. After authentication is bypassed, a second vulnerability in the File Manager component permits arbitrary PHP file uploads. The file upload functionality does not enforce MIME-type or file extension restrictions, allowing authenticated users to upload web shells into a publicly accessible directory and achieve remote code execution.
Severity CVSS v4.0: CRITICAL
Last modification:
15/04/2026

CVE-2013-10032
Publication date:
25/07/2025
An authenticated remote code execution vulnerability exists in GetSimpleCMS version 3.2.1. The application’s upload.php endpoint allows authenticated users to upload arbitrary files without proper validation of MIME types or extensions. By uploading a .pht file containing PHP code, an attacker can bypass blacklist-based restrictions and place executable code within the web root. A crafted request using a polyglot or disguised extension allows the attacker to execute the payload by accessing the file directly via the web server. This vulnerability exists due to the use of a blacklist for filtering file types instead of a whitelist.
Severity CVSS v4.0: HIGH
Last modification:
23/09/2025

CVE-2025-8159
Publication date:
25/07/2025
A vulnerability was found in D-Link DIR-513 1.0. It has been rated as critical. This issue affects the function formLanguageChange of the file /goform/formLanguageChange of the component HTTP POST Request Handler. The manipulation of the argument curTime leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.
Severity CVSS v4.0: HIGH
Last modification:
16/09/2025

CVE-2025-8160
Publication date:
25/07/2025
A vulnerability classified as critical has been found in Tenda AC20 up to 16.03.08.12. Affected is an unknown function of the file /goform/SetSysTimeCfg of the component httpd. The manipulation of the argument timeZone leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: HIGH
Last modification:
05/08/2025

CVE-2025-44608
Publication date:
25/07/2025
CloudClassroom-PHP Project v1.0 was discovered to contain a SQL injection vulnerability via the viewid parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
07/08/2025

CVE-2025-45467
Publication date:
25/07/2025
Unitree Go1
Severity CVSS v4.0: Pending analysis
Last modification:
12/01/2026

CVE-2025-52360
Publication date:
25/07/2025
A Cross-Site Scripting (XSS) vulnerability exists in the OPAC search feature of Koha Library Management System v24.05. Unsanitized input entered in the search field is reflected in the search history interface, leading to the execution of arbitrary JavaScript in the browser context when the user interacts with the interface.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-38436
Publication date:
25/07/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/scheduler: signal scheduled fence when kill job<br /> <br /> When an entity from application B is killed, drm_sched_entity_kill()<br /> removes all jobs belonging to that entity through<br /> drm_sched_entity_kill_jobs_work(). If application A&amp;#39;s job depends on a<br /> scheduled fence from application B&amp;#39;s job, and that fence is not properly<br /> signaled during the killing process, application A&amp;#39;s dependency cannot be<br /> cleared.<br /> <br /> This leads to application A hanging indefinitely while waiting for a<br /> dependency that will never be resolved. Fix this issue by ensuring that<br /> scheduled fences are properly signaled when an entity is killed, allowing<br /> dependent applications to continue execution.
Severity CVSS v4.0: Pending analysis
Last modification:
18/04/2026

CVE-2025-38433
Publication date:
25/07/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> riscv: fix runtime constant support for nommu kernels<br /> <br /> the `__runtime_fixup_32` function does not handle the case where `val` is<br /> zero correctly (as might occur when patching a nommu kernel and referring<br /> to a physical address below the 4GiB boundary whose upper 32 bits are all<br /> zero) because nothing in the existing logic prevents the code from taking<br /> the `else` branch of both nop-checks and emitting two `nop` instructions.<br /> <br /> This leaves random garbage in the register that is supposed to receive the<br /> upper 32 bits of the pointer instead of zero that when combined with the<br /> value for the lower 32 bits yields an invalid pointer and causes a kernel<br /> panic when that pointer is eventually accessed.<br /> <br /> The author clearly considered the fact that if the `lui` is converted into<br /> a `nop` that the second instruction needs to be adjusted to become an `li`<br /> instead of an `addi`, hence introducing the `addi_insn_mask` variable, but<br /> didn&amp;#39;t follow that logic through fully to the case where the `else` branch<br /> executes. To fix it just adjust the logic to ensure that the second `else`<br /> branch is not taken if the first instruction will be patched to a `nop`.
Severity CVSS v4.0: Pending analysis
Last modification:
19/11/2025

CVE-2025-38434
Publication date:
25/07/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Revert "riscv: Define TASK_SIZE_MAX for __access_ok()"<br /> <br /> This reverts commit ad5643cf2f69 ("riscv: Define TASK_SIZE_MAX for<br /> __access_ok()").<br /> <br /> This commit changes TASK_SIZE_MAX to be LONG_MAX to optimize access_ok(),<br /> because the previous TASK_SIZE_MAX (default to TASK_SIZE) requires some<br /> computation.<br /> <br /> The reasoning was that all user addresses are less than LONG_MAX, and all<br /> kernel addresses are greater than LONG_MAX. Therefore access_ok() can<br /> filter kernel addresses.<br /> <br /> Addresses between TASK_SIZE and LONG_MAX are not valid user addresses, but<br /> access_ok() let them pass. That was thought to be okay, because they are<br /> not valid addresses at hardware level.<br /> <br /> Unfortunately, one case is missed: get_user_pages_fast() happily accepts<br /> addresses between TASK_SIZE and LONG_MAX. futex(), for instance, uses<br /> get_user_pages_fast(). This causes the problem reported by Robert [1].<br /> <br /> Therefore, revert this commit. TASK_SIZE_MAX is changed to the default:<br /> TASK_SIZE.<br /> <br /> This unfortunately reduces performance, because TASK_SIZE is more expensive<br /> to compute compared to LONG_MAX. But correctness first, we can think about<br /> optimization later, if required.
Severity CVSS v4.0: Pending analysis
Last modification:
19/11/2025

CVE-2025-38435
Publication date:
25/07/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> riscv: vector: Fix context save/restore with xtheadvector<br /> <br /> Previously only v0-v7 were correctly saved/restored,<br /> and the context of v8-v31 are damanged.<br /> Correctly save/restore v8-v31 to avoid breaking userspace.
Severity CVSS v4.0: Pending analysis
Last modification:
19/11/2025

CVE-2025-38432
Publication date:
25/07/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: netpoll: Initialize UDP checksum field before checksumming<br /> <br /> commit f1fce08e63fe ("netpoll: Eliminate redundant assignment") removed<br /> the initialization of the UDP checksum, which was wrong and broke<br /> netpoll IPv6 transmission due to bad checksumming.<br /> <br /> udph-&gt;check needs to be set before calling csum_ipv6_magic().
Severity CVSS v4.0: Pending analysis
Last modification:
19/11/2025
Subscribe to Vulnerabilities