Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-31484
Publication date:
02/04/2025
conda-forge infrastructure holds common configurations and settings for key pieces of the conda-forge infrastructure.<br /> Between 2025-02-10 and 2025-04-01, conda-forge infrastructure used the wrong token for Azure&amp;#39;s cf-staging access. This bug meant that any feedstock maintainer could upload a package to the conda-forge channel, bypassing our feedstock-token + upload process. The security logs on anaconda.org were check for any packages that were not copied from the cf-staging to the conda-forge channel and none were found.
Severity CVSS v4.0: CRITICAL
Last modification:
15/04/2026

CVE-2025-30218
Publication date:
02/04/2025
Next.js is a React framework for building full-stack web applications. To mitigate CVE-2025-29927, Next.js validated the x-middleware-subrequest-id which persisted across multiple incoming requests. However, this subrequest ID is sent to all requests, even if the destination is not the same host as the Next.js application. Initiating a fetch request to a third-party within Middleware will send the x-middleware-subrequest-id to that third party. This vulnerability is fixed in 12.3.6, 13.5.10, 14.2.26, and 15.2.4.
Severity CVSS v4.0: LOW
Last modification:
10/09/2025

CVE-2025-27608
Publication date:
02/04/2025
Arduino IDE 2.x is an IDE based on the Theia IDE framework and built with Electron. A Self Cross-Site Scripting (XSS) vulnerability has been identified within the Arduino-IDE prior to version v2.3.5. The vulnerability occurs in the Additional Board Manager URLs field, which can be found in the Preferences -&gt; Settings section of the Arduino IDE interface. In the vulnerable versions, any values entered in this field are directly displayed to the user through a notification tooltip object, without a proper output encoding routine, due to the underlying ElectronJS engine interpretation. This vulnerability exposes the input parameter to Self-XSS attacks, which may lead to security risks depending on where the malicious payload is injected. This vulnerability is fixed in 2.3.5.
Severity CVSS v4.0: LOW
Last modification:
15/04/2026

CVE-2025-0257
Publication date:
02/04/2025
HCL DevOps Deploy / HCL Launch could allow unauthorized access to other services or potential exposure of sensitive data due to missing authentication in its Agent Relay service.
Severity CVSS v4.0: Pending analysis
Last modification:
10/04/2025

CVE-2025-30080
Publication date:
02/04/2025
Signalling in Pexip Infinity 29 through 36.2 before 37.0 has improper input validation that allows remote attackers to trigger a temporary denial of service (software abort).
Severity CVSS v4.0: Pending analysis
Last modification:
18/06/2025

CVE-2025-3118
Publication date:
02/04/2025
A vulnerability was found in SourceCodester Online Tutor Portal 1.0. It has been classified as critical. This affects an unknown part of the file /tutor/courses/view_course.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
10/04/2025

CVE-2025-22923
Publication date:
02/04/2025
An issue in OS4ED openSIS v8.0 through v9.1 allows attackers to execute a directory traversal and delete files by sending a crafted POST request to /Modules.php?modname=users/Staff.php&amp;removefile.
Severity CVSS v4.0: Pending analysis
Last modification:
17/07/2025

CVE-2025-22924
Publication date:
02/04/2025
OS4ED openSIS v7.0 through v9.1 contains a SQL injection vulnerability via the stu_id parameter at /modules/students/Student.php.
Severity CVSS v4.0: Pending analysis
Last modification:
29/04/2025

CVE-2025-22925
Publication date:
02/04/2025
OS4ED openSIS v7.0 to v9.1 was discovered to contain a SQL injection vulnerability via the table parameter at /attendance/AttendanceCodes.php. The remote, authenticated attacker requires the admin role to successfully exploit this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
29/04/2025

CVE-2025-29062
Publication date:
02/04/2025
An issue in BL-AC2100
Severity CVSS v4.0: Pending analysis
Last modification:
29/04/2025

CVE-2025-29063
Publication date:
02/04/2025
An issue in BL-AC2100 V1.0.4 and before allows a remote attacker to execute arbitrary code via the enable parameter passed to /goform/set_hidessid_cfg is not handled properly.
Severity CVSS v4.0: Pending analysis
Last modification:
29/04/2025

CVE-2025-29719
Publication date:
02/04/2025
SourceCodester (rems) Employee Management System 1.0 is vulnerable to Cross Site Scripting (XSS) in add_employee.php via the First Name and Address text fields.
Severity CVSS v4.0: Pending analysis
Last modification:
10/04/2025
Subscribe to Vulnerabilities