Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-28100

Publication date:

15/04/2025

A SQL Injection vulnerability in dingfanzuCMS v.1.0 allows a attacker to execute arbitrary code via not filtering the content correctly at the "operateOrder.php" id parameter.

Severity CVSS v4.0: Pending analysis

Last modification:

22/04/2025

CVE-2025-29705

Publication date:

15/04/2025

code-gen

Severity CVSS v4.0: Pending analysis

Last modification:

22/04/2025

CVE-2024-50960

Publication date:

15/04/2025

A command injection vulnerability in the Nmap diagnostic tool in the admin web console of Extron SMP 111

Severity CVSS v4.0: Pending analysis

Last modification:

25/04/2025

CVE-2024-42200

Publication date:

15/04/2025

HCL BigFix Web Reports might be subject to a Stored Cross-Site Scripting (XSS) attack, due to a potentially weak validation of user input.

Severity CVSS v4.0: MEDIUM

Last modification:

09/10/2025

CVE-2024-42189

Publication date:

15/04/2025

HCL BigFix Web Reports might be subject to a Denial of Service (DoS) attack, due to a potentially weak validation of an API parameter.

Severity CVSS v4.0: MEDIUM

Last modification:

09/10/2025

CVE-2021-27289

Publication date:

15/04/2025

A replay attack vulnerability was discovered in a Zigbee smart home kit manufactured by Ksix (Zigbee Gateway Module = v1.0.3, Door Sensor = v1.0.7, Motion Sensor = v1.0.12), where the Zigbee anti-replay mechanism - based on the frame counter field - is improperly implemented. As a result, an attacker within wireless range can resend captured packets with a higher sequence number, which the devices incorrectly accept as legitimate messages. This allows spoofed commands to be injected without authentication, triggering false alerts and misleading the user through notifications in the mobile application used to monitor the network.

Severity CVSS v4.0: Pending analysis

Last modification:

16/04/2025

CVE-2025-32779

Publication date:

15/04/2025

E.D.D.I (Enhanced Dialog Driven Interface) is a middleware to connect and manage LLM API bots. In versions before 5.5.0, an attacker with access to the `/backup/import` API endpoint can write arbitrary files to locations outside the intended extraction directory due to a Zip Slip vulnerability. Although the application runs as a non-root user (`185`), limiting direct impact on system-level files, this vulnerability can still be exploited to overwrite application files (e.g., JAR libraries) owned by the application user. This overwrite can potentially lead to Remote Code Execution (RCE) within the application&#39;s context. This issue has been patched in version 5.5.0.

Severity CVSS v4.0: Pending analysis

Last modification:

27/10/2025

CVE-2025-32780

Publication date:

15/04/2025

BleachBit cleans files to free disk space and to maintain privacy. BleachBit for Windows up to version 4.6.2 is vulnerable to a DLL Hijacking vulnerability. By placing a malicious DLL with the name uuid.dll in the folder C:\Users\\AppData\Local\Microsoft\WindowsApps\, an attacker can execute arbitrary code every time BleachBit is run. This issue has been patched in version 4.9.0.

Severity CVSS v4.0: Pending analysis

Last modification:

15/04/2025

CVE-2025-32776

Publication date:

15/04/2025

OpenRazer is an open source driver and user-space daemon to control Razer device lighting and other features on GNU/Linux. By writing specially crafted data to the `matrix_custom_frame` file, an attacker can cause the custom kernel driver to read more bytes than provided by user space. This data will be written into the RGB arguments which will be sent to the USB device. This issue has been patched in v3.10.2.

Severity CVSS v4.0: Pending analysis

Last modification:

03/11/2025

CVE-2025-29817

Publication date:

15/04/2025

Uncontrolled search path element in Power Automate allows an authorized attacker to disclose information over a network.

Severity CVSS v4.0: Pending analysis

Last modification:

08/07/2025

CVE-2025-28198

Publication date:

15/04/2025

A SQL injection vulnerability in Hitout car sale 1.0 allows a remote attacker to obtain sensitive information via the orderBy parameter of the StoreController.java component.

Severity CVSS v4.0: Pending analysis

Last modification:

22/04/2025

CVE-2025-32911

Publication date:

15/04/2025

A use-after-free type vulnerability was found in libsoup, in the soup_message_headers_get_content_disposition() function. This flaw allows a malicious HTTP client to cause memory corruption in the libsoup server.

Severity CVSS v4.0: Pending analysis

Last modification:

18/11/2025

Subscribe to Vulnerabilities