Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-30807
Publication date:
01/04/2025
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Martin Nguyen Next-Cart Store to WooCommerce Migration nextcart-woocommerce-migration allows SQL Injection.This issue affects Next-Cart Store to WooCommerce Migration: from n/a through
Severity CVSS v4.0: Pending analysis
Last modification:
23/04/2026

CVE-2025-29033
Publication date:
01/04/2025
An issue in BambooHR Build v.25.0210.170831-83b08dd allows a remote attacker to escalate privileges via the /saml/index.php?r=" HTTP GET parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-29036
Publication date:
01/04/2025
An issue in hackathon-starter v.8.1.0 allows a remote attacker to escalate privileges via the user.js component.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-29049
Publication date:
01/04/2025
Cross Site Scripting vulnerability in arnog MathLive Versions v0.103.0 and before (fixed in 0.104.0) allows an attacker to execute arbitrary code via the MathLive function.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2024-13941
Publication date:
01/04/2025
A vulnerability was found in ouch-org ouch up to 0.3.1. It has been classified as critical. This affects the function ouch::archive::zip::convert_zip_date_time of the file zip.rs. The manipulation of the argument month leads to memory corruption. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. Upgrading to version 0.4.0 is able to address this issue. It is recommended to upgrade the affected component.
Severity CVSS v4.0: MEDIUM
Last modification:
15/04/2026

CVE-2003-20001
Publication date:
01/04/2025
An issue was discovered on Mitel ICP VoIP 3100 devices. When a remote user attempts to log in via TELNET during the login wait time and an external call comes in, the system incorrectly divulges information about the call and any SMDR records generated by the system. The information provided includes the service type, extension number and other parameters, related to the call activity.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-29069
Publication date:
01/04/2025
A heap buffer overflow vulnerability has been identified in the lcms2-2.16. The vulnerability exists in the UnrollChunkyBytes function in cmspack.c, which is responsible for handling color space transformations. NOTE: this is disputed by the Supplier because the finding identified a bug in a third-party calling program, not in lcms.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-3096
Publication date:
01/04/2025
Clinic’s Patient Management System versions 2.0 suffers from a SQL injection vulnerability in the login page.
Severity CVSS v4.0: CRITICAL
Last modification:
15/04/2026

CVE-2025-31137
Publication date:
01/04/2025
React Router is a multi-strategy router for React bridging the gap from React 18 to React 19. There is a vulnerability in Remix/React Router that affects all Remix 2 and React Router 7 consumers using the Express adapter. Basically, this vulnerability allows anyone to spoof the URL used in an incoming Request by putting a URL pathname in the port section of a URL that is part of a Host or X-Forwarded-Host header sent to a Remix/React Router request handler. This issue has been patched and released in Remix 2.16.3 and React Router 7.4.1.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-26054
Publication date:
01/04/2025
Infinxt iEdge 100 2.1.32 is vulnerable to Cross Site Scripting (XSS) via the "Description" field during LAN configuration.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-26055
Publication date:
01/04/2025
An OS Command Injection vulnerability exists in the Infinxt iEdge 100 2.1.32 Troubleshoot module, specifically in the tracertVal parameter of the Tracert function.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-26056
Publication date:
01/04/2025
A command injection vulnerability exists in the Infinxt iEdge 100 2.1.32 in the Troubleshoot module "MTR" functionality. The vulnerability is due to improper validation of user-supplied input in the mtrIp parameter. An attacker can exploit this flaw to execute arbitrary operating system commands on the underlying system with the same privileges as the web application process.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026
Subscribe to Vulnerabilities