Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-1951

Publication date:

22/04/2025

IBM Hardware Management Console - Power Systems V10.2.1030.0 and V10.3.1050.0 could allow a local user to execute commands as a privileged user due to execution of commands with unnecessary privileges.

Severity CVSS v4.0: Pending analysis

Last modification:

12/08/2025

CVE-2025-23176

Publication date:

22/04/2025

CWE-89: Improper Neutralization of Special Elements used in an SQL Command (&#39;SQL Injection&#39;)

Severity CVSS v4.0: Pending analysis

Last modification:

15/04/2026

CVE-2025-28032

Publication date:

22/04/2025

TOTOLINK A800R V4.1.2cu.5137_B20200730, A810R V4.1.2cu.5182_B20201026, A830R V4.1.2cu.5182_B20201102, A950RG V4.1.2cu.5161_B20200903, A3000RU V5.9c.5185_B20201128, and A3100R V4.1.2cu.5247_B20211129 contain a pre-auth buffer overflow vulnerability in the setNoticeCfg function through the IpForm parameter.

Severity CVSS v4.0: Pending analysis

Last modification:

29/04/2025

CVE-2025-28033

Publication date:

22/04/2025

TOTOLINK A800R V4.1.2cu.5137_B20200730, A810R V4.1.2cu.5182_B20201026, A830R V4.1.2cu.5182_B20201102, A950RG V4.1.2cu.5161_B20200903, A3000RU V5.9c.5185_B20201128, and A3100R V4.1.2cu.5247_B20211129 were found to contain a pre-auth buffer overflow vulnerability in the setNoticeCfg function through the IpTo parameter.

Severity CVSS v4.0: Pending analysis

Last modification:

29/04/2025

CVE-2025-28034

Publication date:

22/04/2025

TOTOLINK A800R V4.1.2cu.5137_B20200730, A810R V4.1.2cu.5182_B20201026, A830R V4.1.2cu.5182_B20201102, A950RG V4.1.2cu.5161_B20200903, A3000RU V5.9c.5185_B20201128, and A3100R V4.1.2cu.5247_B20211129 were found to contain a pre-auth remote command execution vulnerability in the NTPSyncWithHost function through the hostTime parameter.

Severity CVSS v4.0: Pending analysis

Last modification:

29/04/2025

CVE-2024-40446

Publication date:

22/04/2025

An issue in forkosh Mime Tex before v.1.77 allows an attacker to execute arbitrary code via a crafted script

Severity CVSS v4.0: Pending analysis

Last modification:

23/06/2025

CVE-2024-46546

Publication date:

22/04/2025

NEXTU FLETA AX1500 WIFI6 Router v1.0.3 was discovered to contain a stack overflow via the url parameter at /boafrm/formFilter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted POST request.

Severity CVSS v4.0: Pending analysis

Last modification:

23/06/2025

CVE-2024-40445

Publication date:

22/04/2025

A directory traversal vulnerability in forkosh Mime TeX before version 1.77 allows attackers on Windows systems to read or append arbitrary files by manipulating crafted input paths.

Severity CVSS v4.0: Pending analysis

Last modification:

23/06/2025

CVE-2025-23175

Publication date:

22/04/2025

Multiple XSS (CWE-79)

Severity CVSS v4.0: Pending analysis

Last modification:

15/04/2026

CVE-2025-3457

Publication date:

22/04/2025

The Ocean Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin&#39;s &#39;oceanwp_icon&#39; shortcode in all versions up to, and including, 2.4.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Severity CVSS v4.0: Pending analysis

Last modification:

30/04/2025

CVE-2025-3458

Publication date:

22/04/2025

The Ocean Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the &#39;ocean_gallery_id’ parameter in all versions up to, and including, 2.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The Classic Editor plugin must be installed and activated to exploit the vulnerability.

Severity CVSS v4.0: Pending analysis

Last modification:

30/04/2025

CVE-2025-3472

Publication date:

22/04/2025

The Ocean Extra plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.4.6. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes when WooCommerce is also installed and activated.

Severity CVSS v4.0: Pending analysis

Last modification:

30/04/2025

Subscribe to Vulnerabilities