Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-0315
Publication date:
20/03/2025
A vulnerability in ollama/ollama
Severity CVSS v4.0: Pending analysis
Last modification:
02/04/2025

CVE-2025-0317
Publication date:
20/03/2025
A vulnerability in ollama/ollama versions
Severity CVSS v4.0: Pending analysis
Last modification:
02/04/2025

CVE-2025-0330
Publication date:
20/03/2025
In berriai/litellm version v1.52.1, an issue in proxy_server.py causes the leakage of Langfuse API keys when an error occurs while parsing team settings. This vulnerability exposes sensitive information, including langfuse_secret and langfuse_public_key, which can provide full access to the Langfuse project storing all requests.
Severity CVSS v4.0: Pending analysis
Last modification:
01/08/2025

CVE-2025-0452
Publication date:
20/03/2025
eosphoros-ai/DB-GPT version latest is vulnerable to arbitrary file deletion on Windows systems via the '/v1/agent/hub/update' endpoint. The application fails to properly filter the '\' character, which is commonly used as a separator in Windows paths. This vulnerability allows attackers to delete any files on the host system by manipulating the 'plugin_repo_name' variable.
Severity CVSS v4.0: Pending analysis
Last modification:
17/07/2025

CVE-2025-0192
Publication date:
20/03/2025
A stored Cross-site Scripting (XSS) vulnerability exists in the latest version of wandb/openui. The vulnerability is present in the edit HTML functionality, where an attacker can inject malicious scripts. When the modified HTML is shared with another user, the XSS payload executes, potentially leading to the theft of user prompt history and other sensitive information.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-0183
Publication date:
20/03/2025
A stored cross-site scripting (XSS) vulnerability exists in the Latex Proof-Reading Module of binary-husky/gpt_academic version 3.9.0. This vulnerability allows an attacker to inject malicious scripts into the `debug_log.html` file generated by the module. When an admin visits this debug report, the injected scripts can execute, potentially leading to unauthorized actions and data access.
Severity CVSS v4.0: Pending analysis
Last modification:
01/08/2025

CVE-2025-0184
Publication date:
20/03/2025
A Server-Side Request Forgery (SSRF) vulnerability was identified in langgenius/dify version 0.10.2. The vulnerability occurs in the 'Create Knowledge' section when uploading DOCX files. If an external relationship exists in the DOCX file, the reltype value is requested as a URL using the 'requests' module instead of the 'ssrf_proxy', leading to an SSRF vulnerability. This issue was fixed in version 0.11.0.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2025

CVE-2025-0185
Publication date:
20/03/2025
A vulnerability in the Dify Tools' Vanna module of the langgenius/dify repository allows for a Pandas Query Injection in the latest version. The vulnerability occurs in the function `vn.get_training_plan_generic(df_information_schema)`, which does not properly sanitize user inputs before executing queries using the Pandas library. This can potentially lead to Remote Code Execution (RCE) if exploited.
Severity CVSS v4.0: Pending analysis
Last modification:
27/03/2025

CVE-2025-0187
Publication date:
20/03/2025
A Denial of Service (DoS) vulnerability was discovered in the file upload feature of gradio-app/gradio version 0.39.1. The vulnerability is due to improper handling of form-data with a large filename in the file upload request. By sending a payload with an excessively large filename, the server becomes overwhelmed and unresponsive, leading to unavailability for legitimate users.
Severity CVSS v4.0: Pending analysis
Last modification:
01/08/2025

CVE-2025-0188
Publication date:
20/03/2025
A Server-Side Request Forgery (SSRF) vulnerability was discovered in gaizhenbiao/chuanhuchatgpt version 20240914. The vulnerability allows an attacker to construct a response link by saving the response in a folder named after the SHA-1 hash of the target URL. This enables the attacker to access the response directly, potentially leading to unauthorized access to internal systems, data theft, service disruption, or further attacks such as port scanning and accessing metadata endpoints.
Severity CVSS v4.0: Pending analysis
Last modification:
09/07/2025

CVE-2025-0189
Publication date:
20/03/2025
In version 3.25.0 of aimhubio/aim, the tracking server is vulnerable to a denial of service attack. The server overrides the maximum size for websocket messages, allowing very large images to be tracked. This causes the server to become unresponsive to other requests while processing the large image, leading to a denial of service condition.
Severity CVSS v4.0: Pending analysis
Last modification:
15/10/2025

CVE-2025-0190
Publication date:
20/03/2025
In version 3.25.0 of aimhubio/aim, a denial of service vulnerability exists. By tracking a large number of `Text` objects and then querying them simultaneously through the web API, the Aim web server becomes unresponsive to other requests for an extended period while processing and returning these objects. This vulnerability can be exploited repeatedly, leading to a complete denial of service.
Severity CVSS v4.0: Pending analysis
Last modification:
28/03/2025
Subscribe to Vulnerabilities