Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-9844

Publication date:
23/09/2025
Uncontrolled Search Path Element vulnerability in Salesforce Salesforce CLI on Windows allows Replace Trusted Executable.This issue affects Salesforce CLI: before 2.106.6.
Severity CVSS v4.0: Pending analysis
Last modification:
23/09/2025

CVE-2025-6921

Publication date:
23/09/2025
The huggingface/transformers library, versions prior to 4.53.0, is vulnerable to Regular Expression Denial of Service (ReDoS) in the AdamWeightDecay optimizer. The vulnerability arises from the _do_use_weight_decay method, which processes user-controlled regular expressions in the include_in_weight_decay and exclude_from_weight_decay lists. Malicious regular expressions can cause catastrophic backtracking during the re.search call, leading to 100% CPU utilization and a denial of service. This issue can be exploited by attackers who can control the patterns in these lists, potentially causing the machine learning task to hang and rendering services unresponsive.
Severity CVSS v4.0: Pending analysis
Last modification:
23/09/2025

CVE-2025-8354

Publication date:
23/09/2025
A maliciously crafted RFA file, when parsed through Autodesk Revit, can force a Type Confusion vulnerability. A malicious actor may leverage this vulnerability to cause a crash, cause data corruption, or execute arbitrary code in the context of the current process.
Severity CVSS v4.0: Pending analysis
Last modification:
23/09/2025

CVE-2017-20200

Publication date:
23/09/2025
A vulnerability has been found in Coinomi up to 1.7.6. This issue affects some unknown processing. Such manipulation leads to cleartext transmission of sensitive information. The attack can be launched remotely. This attack is characterized by high complexity. The exploitability is assessed as difficult. The exploit has been disclosed to the public and may be used. The vendor replied with: "(...) there isn't any security implication associated with your findings."
Severity CVSS v4.0: MEDIUM
Last modification:
23/09/2025

CVE-2025-9846

Publication date:
23/09/2025
Unrestricted Upload of File with Dangerous Type vulnerability in TalentSys Consulting Information Technology Industry Inc. Inka.Net allows Command Injection.This issue affects Inka.Net: before 6.7.1.
Severity CVSS v4.0: Pending analysis
Last modification:
23/09/2025

CVE-2025-10184

Publication date:
23/09/2025
The vulnerability allows any application installed on the device to read SMS/MMS data and metadata from the system-provided Telephony provider without permission, user interaction, or consent. The user is also not notified that SMS data is being accessed. This could lead to sensitive information disclosure and could effectively break the security provided by SMS-based Multi-Factor Authentication (MFA) checks. <br /> <br /> The root cause is a combination of missing permissions for write operations in several content providers (com.android.providers.telephony.PushMessageProvider, com.android.providers.telephony.PushShopProvider, com.android.providers.telephony.ServiceNumberProvider), and a blind SQL injection in the update method of those providers.
Severity CVSS v4.0: HIGH
Last modification:
23/09/2025

CVE-2025-9963

Publication date:
23/09/2025
A path traversal vulnerability in Novakon P series allows to expose the root file system "/" and modify all files with root permissions. This way the system can also be compromized.This issue affects P series: P – V2001.A.C518o2.
Severity CVSS v4.0: CRITICAL
Last modification:
23/09/2025

CVE-2025-9964

Publication date:
23/09/2025
No password for the root user is set in Novakon P series. This allows phyiscal attackers to enter the console easily. <br /> This issue affects P series: P – V2001.A.C518o2.
Severity CVSS v4.0: HIGH
Last modification:
23/09/2025

CVE-2025-9965

Publication date:
23/09/2025
Improper authentication vulnerability in Novakon P series allows unauthenticated attackers to upload and download any application from/to the device.This issue affects P series: P – V2001.A.C518o2.
Severity CVSS v4.0: CRITICAL
Last modification:
23/09/2025

CVE-2025-9966

Publication date:
23/09/2025
Improper privilege management vulnerability in Novakon P series allows attackers to gain root privileges if one service is compromized.This issue affects P series: P – V2001.A.C518o2.
Severity CVSS v4.0: HIGH
Last modification:
23/09/2025

CVE-2025-10244

Publication date:
23/09/2025
A maliciously crafted HTML payload, when rendered by the Autodesk Fusion desktop application, can trigger a Stored Cross-site Scripting (XSS) vulnerability. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process.
Severity CVSS v4.0: Pending analysis
Last modification:
23/09/2025

CVE-2024-4598

Publication date:
23/09/2025
An information disclosure vulnerability exists in multiple WSO2 products due to improper implementation of the enrich mediator. Authenticated users may be able to view unintended business data from other mediation contexts because the internal state is not properly isolated or cleared between executions.<br /> <br /> This vulnerability does not impact user credentials or access tokens but may lead to leakage of sensitive business information handled during message flows.
Severity CVSS v4.0: Pending analysis
Last modification:
23/09/2025