Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-48390
Publication date:
29/05/2025
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.178, FreeScout is vulnerable to code injection due to insufficient validation of user input in the php_path parameter. The backticks characters are not removed, as well as tabulation is not removed. When checking user input, the file_exists function is also called to check for the presence of such a file (folder) in the file system. A user with the administrator role can create a translation for the language, which will create a folder in the file system. Further in tools.php, the user can specify the path to this folder as php_path, which will lead to the execution of code in backticks. This issue has been patched in version 1.8.178.
Severity CVSS v4.0: HIGH
Last modification:
11/07/2025

CVE-2025-48471
Publication date:
29/05/2025
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.179, the application does not check or performs insufficient checking of files uploaded to the application. This allows files to be uploaded with the phtml and phar extensions, which can lead to remote code execution if the Apache web server is used. This issue has been patched in version 1.8.179.
Severity CVSS v4.0: HIGH
Last modification:
10/06/2025

CVE-2025-48472
Publication date:
29/05/2025
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.179, there is no check to ensure that the user is disabling notifications for the mailbox to which they already have access. Moreover, the code explicitly implements functionality that if the user does not have access to the mailbox, then after disabling (enabling) notifications for this mailbox, the user will gain access to it. This issue has been patched in version 1.8.179.
Severity CVSS v4.0: MEDIUM
Last modification:
10/06/2025

CVE-2025-3913
Publication date:
29/05/2025
Mattermost versions 10.7.x
Severity CVSS v4.0: Pending analysis
Last modification:
03/10/2025

CVE-2025-5321
Publication date:
29/05/2025
A vulnerability classified as critical was found in aimhubio aim up to 3.29.1. This vulnerability affects the function RestrictedPythonQuery of the file /aim/storage/query.py of the component run_view Object Handler. The manipulation of the argument Abfrage leads to erweiterte Rechte. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: MEDIUM
Last modification:
19/09/2025

CVE-2025-5334
Publication date:
29/05/2025
Exposure of private personal information to an unauthorized actor in the user vaults component of Devolutions Remote Desktop Manager<br /> allows an authenticated user to gain unauthorized access to private personal information. <br /> <br /> <br /> <br /> Under specific circumstances, entries may be unintentionally moved from user vaults to shared vaults when edited by their owners, making them accessible to other users.<br /> <br /> <br /> <br /> <br /> This issue affects the following versions :<br /> <br /> * Remote Desktop Manager Windows 2025.1.34.0 and earlier<br /> * <br /> Remote Desktop Manager macOS 2025.1.16.3 and earlier<br /> <br /> <br /> <br /> * <br /> Remote Desktop Manager Android 2025.1.3.3 and earlier<br /> * <br /> Remote Desktop Manager iOS 2025.1.6.0 and earlier
Severity CVSS v4.0: Pending analysis
Last modification:
02/07/2025

CVE-2025-48748
Publication date:
29/05/2025
Netwrix Directory Manager (formerly Imanami GroupID) through v.10.0.7784.0 has a hard-coded password.
Severity CVSS v4.0: Pending analysis
Last modification:
23/06/2025

CVE-2025-4081
Publication date:
29/05/2025
Use of entitlement "com.apple.security.cs.disable-library-validation" and lack of launch and library load constraints allows to substitute a legitimate dylib with malicious one. A local attacker with unprivileged access can execute the application with altered dynamic library successfully bypassing Transparency, Consent, and Control (TCC). Acquired resource access is limited to previously granted permissions by the user. Access to other resources beyond granted-permissions requires user interaction with a system prompt asking for permission.<br /> <br /> This issue affects DaVinci Resolve on macOS in all versions.<br /> Last tested version: 19.1.3
Severity CVSS v4.0: MEDIUM
Last modification:
15/04/2026

CVE-2024-22653
Publication date:
29/05/2025
yasm commit 9defefae was discovered to contain a NULL pointer dereference via the yasm_section_bcs_append function at section.c.
Severity CVSS v4.0: Pending analysis
Last modification:
18/06/2025

CVE-2024-22654
Publication date:
29/05/2025
tcpreplay v4.4.4 was discovered to contain an infinite loop via the tcprewrite function at get.c.
Severity CVSS v4.0: Pending analysis
Last modification:
23/06/2025

CVE-2025-5320
Publication date:
29/05/2025
A vulnerability classified as problematic has been found in gradio-app gradio up to 5.29.1. This affects the function is_valid_origin of the component CORS Handler. The manipulation of the argument localhost_aliases leads to erweiterte Rechte. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: MEDIUM
Last modification:
15/04/2026

CVE-2025-46078
Publication date:
29/05/2025
HuoCMS V3.5.1 and before is vulnerable to file upload, which allows attackers to take control of the target server
Severity CVSS v4.0: Pending analysis
Last modification:
04/06/2025
Subscribe to Vulnerabilities