Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-32779
Publication date:
15/04/2025
E.D.D.I (Enhanced Dialog Driven Interface) is a middleware to connect and manage LLM API bots. In versions before 5.5.0, an attacker with access to the `/backup/import` API endpoint can write arbitrary files to locations outside the intended extraction directory due to a Zip Slip vulnerability. Although the application runs as a non-root user (`185`), limiting direct impact on system-level files, this vulnerability can still be exploited to overwrite application files (e.g., JAR libraries) owned by the application user. This overwrite can potentially lead to Remote Code Execution (RCE) within the application's context. This issue has been patched in version 5.5.0.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-32780
Publication date:
15/04/2025
BleachBit cleans files to free disk space and to maintain privacy. BleachBit for Windows up to version 4.6.2 is vulnerable to a DLL Hijacking vulnerability. By placing a malicious DLL with the name uuid.dll in the folder C:\Users\\AppData\Local\Microsoft\WindowsApps\, an attacker can execute arbitrary code every time BleachBit is run. This issue has been patched in version 4.9.0.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-29817
Publication date:
15/04/2025
Uncontrolled search path element in Power Automate allows an authorized attacker to disclose information over a network.
Severity CVSS v4.0: Pending analysis
Last modification:
08/07/2025

CVE-2025-28198
Publication date:
15/04/2025
A SQL injection vulnerability in Hitout car sale 1.0 allows a remote attacker to obtain sensitive information via the orderBy parameter of the StoreController.java component.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2025

CVE-2025-32911
Publication date:
15/04/2025
A use-after-free type vulnerability was found in libsoup, in the soup_message_headers_get_content_disposition() function. This flaw allows a malicious HTTP client to cause memory corruption in the libsoup server.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-24948
Publication date:
15/04/2025
In JotUrl 2.0, passwords are sent via HTTP GET-type requests, potentially exposing credentials to eavesdropping or insecure records.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2025

CVE-2025-24949
Publication date:
15/04/2025
In JotUrl 2.0, is possible to bypass security requirements during the password change process.
Severity CVSS v4.0: Pending analysis
Last modification:
14/10/2025

CVE-2024-36842
Publication date:
15/04/2025
An issue in Oncord+ Android Infotainment Systems OS Android 12, Model Hardware TS17,Hardware part Number F57L_V3.2_20220301, and Build Number PlatformVER:K24-2023/05/09-v0.01 allows a remote attacker to execute arbitrary code via the ADB port component.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2024-11084
Publication date:
15/04/2025
Helix ALM prior to 2025.1 returns distinct error responses during authentication, allowing an attacker to determine whether a username exists.
Severity CVSS v4.0: MEDIUM
Last modification:
15/04/2026

CVE-2024-13177
Publication date:
15/04/2025
Netskope Client on Mac OS is impacted by a vulnerability in which the postinstall script does not properly validate the path of the file “nsinstallation”. A standard user could potentially create a symlink of the file “nsinstallation” to escalate the privileges of a different file on the system. <br /> This issue affects Netskope Client: before 123.0, before 117.1.11.2310, before 120.1.10.2306.
Severity CVSS v4.0: MEDIUM
Last modification:
15/04/2026

CVE-2020-18243
Publication date:
15/04/2025
SQL injection vulnerability found in Enricozab CMS v.1.0 allows a remote attacker to execute arbitrary code via /hdo/hdo-view-case.php.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2025

CVE-2025-32947
Publication date:
15/04/2025
This vulnerability allows any attacker to cause the PeerTube server to stop responding to requests due to an infinite loop in the "inbox" endpoint when receiving crafted ActivityPub activities.
Severity CVSS v4.0: Pending analysis
Last modification:
21/10/2025
Subscribe to Vulnerabilities