Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-23001

Publication date:

31/01/2025

A Host header injection vulnerability exists in CTFd 3.7.5, due to the application failing to properly validate or sanitize the Host header. An attacker can manipulate the Host header in HTTP requests, which may lead to phishing attacks, reset password, or cache poisoning. NOTE: the Supplier&#39;s position is that the end user is supposed to edit the NGINX configuration template to set server_name (with this setting, Host header injection cannot occur).

Severity CVSS v4.0: Pending analysis

Last modification:

21/02/2025

CVE-2024-49339

Publication date:

31/01/2025

IBM Financial Transaction Manager for SWIFT Services for Multiplatforms 3.2.4.0 through 3.2.4.1 is vulnerable to stored cross-site scripting. This vulnerability allows authenticated users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

Severity CVSS v4.0: Pending analysis

Last modification:

13/08/2025

CVE-2024-49349

Publication date:

31/01/2025

Severity CVSS v4.0: Pending analysis

Last modification:

13/08/2025

CVE-2024-53584

Publication date:

31/01/2025

OpenPanel v0.3.4 was discovered to contain an OS command injection vulnerability via the timezone parameter.

Severity CVSS v4.0: Pending analysis

Last modification:

23/05/2025

CVE-2024-57432

Publication date:

31/01/2025

macrozheng mall-tiny 1.0.1 suffers from Insecure Permissions. The application&#39;s JWT signing keys are hardcoded and do not change. User information is explicitly written into the JWT and used for subsequent privilege management, making it is possible to forge the JWT of any user to achieve authentication bypass.

Severity CVSS v4.0: Pending analysis

Last modification:

02/09/2025

CVE-2024-47857

Publication date:

31/01/2025

SSH Communication Security PrivX versions between 18.0-36.0 implement insufficient validation on public key signatures when using native SSH connections via a proxy port. This allows an existing PrivX "account A" to impersonate another existing PrivX "account B" and gain access to SSH target hosts to which the "account B" has access.

Severity CVSS v4.0: Pending analysis

Last modification:

18/03/2025

CVE-2024-42671

Publication date:

31/01/2025

A Host Header Poisoning Open Redirect issue in slabiak Appointment Scheduler v.1.0.5 allows a remote attacker to redirect users to a malicious website, leading to potential credential theft, malware distribution, or other malicious activities.

Severity CVSS v4.0: Pending analysis

Last modification:

19/03/2025

CVE-2024-53582

Publication date:

31/01/2025

An issue found in the Copy and View functions in the File Manager component of OpenPanel v0.3.4 allows attackers to execute a directory traversal via a crafted HTTP request.

Severity CVSS v4.0: Pending analysis

Last modification:

23/05/2025

CVE-2025-22994

Publication date:

31/01/2025

O2OA 9.1.3 is vulnerable to Cross Site Scripting (XSS) in Meetings - Settings.

Severity CVSS v4.0: Pending analysis

Last modification:

15/09/2025

CVE-2025-23215

Publication date:

31/01/2025

PMD is an extensible multilanguage static code analyzer. The passphrase for the PMD and PMD Designer release signing keys are included in jar published to Maven Central. The private key itself is not known to have been compromised itself, but given its passphrase is, it must also be considered potentially compromised. As a mitigation, both compromised keys have been revoked so that no future use of the keys are possible. Note, that the published artifacts in Maven Central under the group id net.sourceforge.pmd are not compromised and the signatures are valid.

Severity CVSS v4.0: CRITICAL

Last modification:

04/04/2025

CVE-2024-45089

Publication date:

31/01/2025

IBM Sterling B2B Integrator 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.3 Standard Edition EBICS server could allow an authenticated user to obtain sensitive filename information due to an observable discrepancy.

Severity CVSS v4.0: Pending analysis

Last modification:

05/03/2025

CVE-2024-47103

Publication date:

31/01/2025

IBM Sterling B2B Integrator 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.3 Standard Edition is vulnerable to cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

Severity CVSS v4.0: Pending analysis

Last modification:

05/03/2025

Subscribe to Vulnerabilities