Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-24948
Publication date:
15/04/2025
In JotUrl 2.0, passwords are sent via HTTP GET-type requests, potentially exposing credentials to eavesdropping or insecure records.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2025

CVE-2025-24949
Publication date:
15/04/2025
In JotUrl 2.0, is possible to bypass security requirements during the password change process.
Severity CVSS v4.0: Pending analysis
Last modification:
14/10/2025

CVE-2024-36842
Publication date:
15/04/2025
An issue in Oncord+ Android Infotainment Systems OS Android 12, Model Hardware TS17,Hardware part Number F57L_V3.2_20220301, and Build Number PlatformVER:K24-2023/05/09-v0.01 allows a remote attacker to execute arbitrary code via the ADB port component.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2025

CVE-2024-11084
Publication date:
15/04/2025
Helix ALM prior to 2025.1 returns distinct error responses during authentication, allowing an attacker to determine whether a username exists.
Severity CVSS v4.0: MEDIUM
Last modification:
15/04/2025

CVE-2024-13177
Publication date:
15/04/2025
Netskope Client on Mac OS is impacted by a vulnerability in which the postinstall script does not properly validate the path of the file “nsinstallation”. A standard user could potentially create a symlink of the file “nsinstallation” to escalate the privileges of a different file on the system. <br /> This issue affects Netskope Client: before 123.0, before 117.1.11.2310, before 120.1.10.2306.
Severity CVSS v4.0: MEDIUM
Last modification:
15/04/2025

CVE-2020-18243
Publication date:
15/04/2025
SQL injection vulnerability found in Enricozab CMS v.1.0 allows a remote attacker to execute arbitrary code via /hdo/hdo-view-case.php.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2025

CVE-2025-32947
Publication date:
15/04/2025
This vulnerability allows any attacker to cause the PeerTube server to stop responding to requests due to an infinite loop in the "inbox" endpoint when receiving crafted ActivityPub activities.
Severity CVSS v4.0: Pending analysis
Last modification:
21/10/2025

CVE-2025-32948
Publication date:
15/04/2025
The vulnerability allows any attacker to cause the PeerTube server to stop functioning, or in special cases send requests to arbitrary URLs (Blind SSRF). Attackers can send ActivityPub activities to PeerTube&amp;#39;s "inbox" endpoint. By abusing the "Create Activity" functionality, it is possible to create crafted playlists which will cause either denial of service or an attacker-controlled blind SSRF.
Severity CVSS v4.0: Pending analysis
Last modification:
21/10/2025

CVE-2025-32949
Publication date:
15/04/2025
This vulnerability allows any authenticated user to cause the server to consume very large amounts of disk space when extracting a Zip Bomb. <br /> <br /> If user import is enabled (which is the default setting), any registered user can upload an archive for importing. The code uses the yauzl library for reading the archive. The yauzl library does not contain any mechanism to detect or prevent extraction of a Zip Bomb https://en.wikipedia.org/wiki/Zip_bomb . Therefore, when using the User Import functionality with a Zip Bomb, PeerTube will try extracting the archive which will cause a disk space resource exhaustion.
Severity CVSS v4.0: Pending analysis
Last modification:
21/10/2025

CVE-2025-3523
Publication date:
15/04/2025
When an email contains multiple attachments with external links via the X-Mozilla-External-Attachment-URL header, only the last link is shown when hovering over any attachment. Although the correct link is used on click, the misleading hover text could trick users into downloading content from untrusted sources. This vulnerability affects Thunderbird
Severity CVSS v4.0: Pending analysis
Last modification:
13/06/2025

CVE-2025-3522
Publication date:
15/04/2025
Thunderbird processes the X-Mozilla-External-Attachment-URL header to handle attachments which can be hosted externally. When an email is opened, Thunderbird accesses the specified URL to determine file size, and navigates to it when the user clicks the attachment. Because the URL is not validated or sanitized, it can reference internal resources like chrome:// or SMB share file:// links, potentially leading to hashed Windows credential leakage and opening the door to more serious security issues. This vulnerability affects Thunderbird
Severity CVSS v4.0: Pending analysis
Last modification:
18/06/2025

CVE-2025-29281
Publication date:
15/04/2025
In PerfreeBlog version 4.0.11, regular users can exploit the arbitrary file upload vulnerability in the attach component to upload arbitrary files and execute code within them.
Severity CVSS v4.0: Pending analysis
Last modification:
24/06/2025
Subscribe to Vulnerabilities