Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-27780
Publication date:
19/03/2025
Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to unsafe deserialization in model_information.py. `model_name` in model_information.py takes user-supplied input (e.g. a path to a model) and pass that value to the `run_model_information_script` and later to `model_information` function, which loads that model with `torch.load` in rvc/train/process/model_information.py (on line 16 in 3.2.8-bugfix), which is vulnerable to unsafe deserialization. The issue can lead to remote code execution. A patch is available in the `main` branch of the repository.
Severity CVSS v4.0: HIGH
Last modification:
01/08/2025

CVE-2025-26816
Publication date:
19/03/2025
A vulnerability in Intrexx Portal Server 12.0.2 and earlier which was classified as problematic potentially allows users with particular permissions under certain conditions to see potentially sensitive data from a different user context.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2024-55009
Publication date:
19/03/2025
A reflected cross-site scripting (XSS) vulnerability in AutoBib - Bibliographic collection management system 3.1.140 and earlier allows attackers to execute arbitrary Javascript in the context of a victim's browser via injecting a crafted payload into the WCE=topFrame&WCU= parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
24/03/2025

CVE-2025-30258
Publication date:
19/03/2025
In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a "verification DoS."
Severity CVSS v4.0: Pending analysis
Last modification:
16/10/2025

CVE-2025-27705
Publication date:
19/03/2025
There is a cross-site scripting vulnerability in the Secure<br /> Access administrative console of Absolute Secure Access prior to version 13.53.<br /> Attackers with system administrator permissions can interfere with another<br /> system administrator’s use of the management console when the second<br /> administrator logs in. Attack complexity is high, attack requirements are<br /> present, privileges required are none, user interaction is required. The impact<br /> to confidentiality is low, the impact to availability is none, and the impact<br /> to system integrity is none.
Severity CVSS v4.0: MEDIUM
Last modification:
15/04/2026

CVE-2025-2476
Publication date:
19/03/2025
Use after free in Lens in Google Chrome prior to 134.0.6998.117 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)
Severity CVSS v4.0: Pending analysis
Last modification:
01/04/2025

CVE-2025-2536
Publication date:
19/03/2025
Cross-site scripting (XSS) vulnerability on Liferay Portal 7.4.3.82 through 7.4.3.128, and Liferay DXP 2024.Q3.0, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 update 82 through update 92 in the Frontend JS module&amp;#39;s layout-taglib/__liferay__/index.js allows remote attackers to inject arbitrary web script or HTML via toastData parameter
Severity CVSS v4.0: MEDIUM
Last modification:
16/12/2025

CVE-2025-27415
Publication date:
19/03/2025
Nuxt is an open-source web development framework for Vue.js. Prior to 3.16.0, by sending a crafted HTTP request to a server behind an CDN, it is possible in some circumstances to poison the CDN cache and highly impacts the availability of a site. It is possible to craft a request, such as https://mysite.com/?/_payload.json which will be rendered as JSON. If the CDN in front of a Nuxt site ignores the query string when determining whether to cache a route, then this JSON response could be served to future visitors to the site. An attacker can perform this attack to a vulnerable site in order to make a site unavailable indefinitely. It is also possible in the case where the cache will be reset to make a small script to send a request each X seconds (=caching duration) so that the cache is permanently poisoned making the site completely unavailable. This vulnerability is fixed in 3.16.0.
Severity CVSS v4.0: Pending analysis
Last modification:
03/12/2025

CVE-2025-27704
Publication date:
19/03/2025
There is a cross-site scripting vulnerability in the Secure<br /> Access administrative console of Absolute Secure Access prior to version 13.53.<br /> Attackers with system administrator permissions can interfere with another<br /> system administrator’s use of the management console when the second<br /> administrator logs in. Attack complexity is high, attack requirements are<br /> present, privileges required are none, user interaction is required. The impact<br /> to confidentiality is low, the impact to availability is none, and the impact<br /> to system integrity is none.
Severity CVSS v4.0: MEDIUM
Last modification:
15/04/2026

CVE-2024-57061
Publication date:
19/03/2025
An issue in Termius Version 9.9.0 through v.9.16.0 allows a physically proximate attacker to execute arbitrary code via the insecure Electron Fuses configuration.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2024-7631
Publication date:
19/03/2025
A flaw was found in the OpenShift Console, an endpoint for plugins to serve resources in multiple languages: /locales/resources.json. This endpoint&amp;#39;s lng and ns parameters are used to construct a filepath in pkg/plugins/handlers unsafely.go#L112 Because of this unsafe filepath construction, an authenticated user can manipulate the path to retrieve any JSON files on the console&amp;#39;s pod by using sequences of ../ and valid directory paths.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2024-51459
Publication date:
19/03/2025
IBM InfoSphere Information Server 11.7 could allow a local user to execute privileged commands due to the improper handling of permissions.
Severity CVSS v4.0: Pending analysis
Last modification:
07/07/2025
Subscribe to Vulnerabilities