Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-41646

Publication date:
06/06/2025
An unauthorized remote attacker can bypass the authentication of the affected software package by misusing an incorrect type conversion. This leads to full compromise of the device
Severity CVSS v4.0: Pending analysis
Last modification:
10/06/2025

CVE-2025-27531

Publication date:
06/06/2025
Deserialization of Untrusted Data vulnerability in Apache InLong. <br /> <br /> This issue affects Apache InLong: from 1.13.0 before 2.1.0, <br /> <br /> this issue would allow an authenticated attacker to read arbitrary files by double writing the param.<br /> <br /> <br /> <br /> <br /> <br /> Users are recommended to upgrade to version 2.1.0, which fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
23/06/2025

CVE-2025-5791

Publication date:
06/06/2025
A flaw was found in the user&amp;#39;s crate for Rust. This vulnerability allows privilege escalation via incorrect group listing when a user or process has fewer than exactly 1024 groups, leading to the erroneous inclusion of the root group in the access list.
Severity CVSS v4.0: Pending analysis
Last modification:
09/06/2025

CVE-2025-5806

Publication date:
06/06/2025
Jenkins Gatling Plugin 136.vb_9009b_3d33a_e serves Gatling reports in a manner that bypasses the Content-Security-Policy protection introduced in Jenkins 1.641 and 1.625, resulting in a cross-site scripting (XSS) vulnerability exploitable by users able to change report content.
Severity CVSS v4.0: Pending analysis
Last modification:
09/06/2025

CVE-2025-38002

Publication date:
06/06/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> io_uring/fdinfo: grab ctx-&gt;uring_lock around io_uring_show_fdinfo()<br /> <br /> Not everything requires locking in there, which is why the &amp;#39;has_lock&amp;#39;<br /> variable exists. But enough does that it&amp;#39;s a bit unwieldy to manage.<br /> Wrap the whole thing in a -&gt;uring_lock trylock, and just return<br /> with no output if we fail to grab it. The existing trylock() will<br /> already have greatly diminished utility/output for the failure case.<br /> <br /> This fixes an issue with reading the SQE fields, if the ring is being<br /> actively resized at the same time.
Severity CVSS v4.0: Pending analysis
Last modification:
26/06/2025

CVE-2025-5778

Publication date:
06/06/2025
A vulnerability, which was classified as critical, was found in 1000 Projects ABC Courier Management System 1.0. Affected is an unknown function of the file /admin. The manipulation of the argument Username leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
11/07/2025

CVE-2025-38001

Publication date:
06/06/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net_sched: hfsc: Address reentrant enqueue adding class to eltree twice<br /> <br /> Savino says:<br /> "We are writing to report that this recent patch<br /> (141d34391abbb315d68556b7c67ad97885407547) [1]<br /> can be bypassed, and a UAF can still occur when HFSC is utilized with<br /> NETEM.<br /> <br /> The patch only checks the cl-&gt;cl_nactive field to determine whether<br /> it is the first insertion or not [2], but this field is only<br /> incremented by init_vf [3].<br /> <br /> By using HFSC_RSC (which uses init_ed) [4], it is possible to bypass the<br /> check and insert the class twice in the eltree.<br /> Under normal conditions, this would lead to an infinite loop in<br /> hfsc_dequeue for the reasons we already explained in this report [5].<br /> <br /> However, if TBF is added as root qdisc and it is configured with a<br /> very low rate,<br /> it can be utilized to prevent packets from being dequeued.<br /> This behavior can be exploited to perform subsequent insertions in the<br /> HFSC eltree and cause a UAF."<br /> <br /> To fix both the UAF and the infinite loop, with netem as an hfsc child,<br /> check explicitly in hfsc_enqueue whether the class is already in the eltree<br /> whenever the HFSC_RSC flag is set.<br /> <br /> [1] https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=141d34391abbb315d68556b7c67ad97885407547<br /> [2] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L1572<br /> [3] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L677<br /> [4] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L1574<br /> [5] https://lore.kernel.org/netdev/8DuRWwfqjoRDLDmBMlIfbrsZg9Gx50DHJc1ilxsEBNe2D6NMoigR_eIRIG0LOjMc3r10nUUZtArXx4oZBIdUfZQrwjcQhdinnMis_0G7VEk=@willsroot.io/T/#u
Severity CVSS v4.0: Pending analysis
Last modification:
13/07/2025

CVE-2025-0620

Publication date:
06/06/2025
A flaw was found in Samba. The smbd service daemon does not pick up group membership changes when re-authenticating an expired SMB session. This issue can expose file shares until clients disconnect and then connect again.
Severity CVSS v4.0: Pending analysis
Last modification:
09/06/2025

CVE-2025-5766

Publication date:
06/06/2025
A vulnerability was found in code-projects Laundry System 1.0. It has been declared as problematic. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
10/06/2025

CVE-2025-5765

Publication date:
06/06/2025
A vulnerability was found in code-projects Laundry System 1.0. It has been classified as problematic. This affects an unknown part of the file /data/edit_laundry.php. The manipulation of the argument Customer leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
10/06/2025

CVE-2025-5764

Publication date:
06/06/2025
A vulnerability was found in code-projects Laundry System 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /data/insert_laundry.php. The manipulation of the argument Customer leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
10/06/2025

CVE-2025-49453

Publication date:
06/06/2025
Cross-Site Request Forgery (CSRF) vulnerability in Jatinder Pal Singh BP Profile as Homepage allows Stored XSS. This issue affects BP Profile as Homepage: from n/a through 1.1.
Severity CVSS v4.0: Pending analysis
Last modification:
06/06/2025