Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-27105
Publication date:
21/02/2025
vyper is a Pythonic Smart Contract Language for the EVM. Vyper handles AugAssign statements by first caching the target location to avoid double evaluation. However, in the case when target is an access to a DynArray and the rhs modifies the array, the cached target will evaluate first, and the bounds check will not be re-evaluated during the write portion of the statement. This issue has been addressed in version 0.4.1 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity CVSS v4.0: LOW
Last modification:
28/03/2025

CVE-2019-8900
Publication date:
21/02/2025
A vulnerability in the SecureROM of some Apple devices can be exploited by an unauthenticated local attacker to execute arbitrary code upon booting those devices. This vulnerability allows arbitrary code to be executed on the device. Exploiting the vulnerability requires physical access to the device: the device must be plugged in to a computer upon booting, and it must be put into Device Firmware Update (DFU) mode. The exploit is not persistent; rebooting the device overrides any changes to the device's software that were made during an exploited session on the device. Additionally, unless an attacker has access to the device's unlock PIN or fingerprint, an attacker cannot gain access to information protected by Apple's Secure Enclave or Touch ID features.
Severity CVSS v4.0: Pending analysis
Last modification:
29/07/2025

CVE-2025-25282
Publication date:
21/02/2025
RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine based on deep document understanding. An authenticated user can exploit the Insecure Direct Object Reference (IDOR) vulnerability that may lead to unauthorized cross-tenant access (list tenant user accounts, add user account into other tenant). Unauthorized cross-tenant access: list user from other tenant (e.g., via GET //user/list), add user account to other tenant (POST //user). This issue has not yet been patched. Users are advised to reach out to the project maintainers to coordinate a fix.
Severity CVSS v4.0: Pending analysis
Last modification:
16/07/2025

CVE-2025-1555
Publication date:
21/02/2025
A vulnerability classified as critical was found in hzmanyun Education and Training System 3.1.1. This vulnerability affects the function saveImage. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: MEDIUM
Last modification:
29/01/2026

CVE-2025-25767
Publication date:
21/02/2025
A vertical privilege escalation vulnerability in the component /controller/UserController.java of MRCMS v3.1.2 allows attackers to arbitrarily delete users via a crafted request.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2025

CVE-2025-25768
Publication date:
21/02/2025
MRCMS v3.1.2 was discovered to contain a server-side template injection (SSTI) vulnerability in the component \servlet\DispatcherServlet.java. This vulnerability allows attackers to execute arbitrary code via a crafted payload.
Severity CVSS v4.0: Pending analysis
Last modification:
04/04/2025

CVE-2025-25769
Publication date:
21/02/2025
Wangmarket v4.10 to v5.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /controller/UserController.java.
Severity CVSS v4.0: Pending analysis
Last modification:
28/03/2025

CVE-2025-25770
Publication date:
21/02/2025
Wangmarket v4.10 to v5.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /agency/AgencyUserController.java.
Severity CVSS v4.0: Pending analysis
Last modification:
28/03/2025

CVE-2025-25604
Publication date:
21/02/2025
Totolink X5000R V9.1.0u.6369_B20230113 is vulnerable to command injection via the vif_disable function in mtkwifi.lua.
Severity CVSS v4.0: Pending analysis
Last modification:
04/04/2025

CVE-2025-25605
Publication date:
21/02/2025
Totolink X5000R V9.1.0u.6369_B20230113 is vulnerable to command injection via the apcli_wps_gen_pincode function in mtkwifi.lua.
Severity CVSS v4.0: Pending analysis
Last modification:
04/04/2025

CVE-2025-25772
Publication date:
21/02/2025
A Cross-Site Request Forgery (CSRF) in the component /back/UserController.java of Jspxcms v9.0 to v9.5 allows attackers to arbitrarily add Administrator accounts via a crafted request.
Severity CVSS v4.0: Pending analysis
Last modification:
09/07/2025

CVE-2020-19248
Publication date:
21/02/2025
SQL Injection vulnerability in PbootCMS 1.4.1 in parsing if statements in templates, resulting in a malicious user's ability to contaminate template content by searching for page contamination URLs, thus triggering vulnerabilities when the program uses eval statements to parse templates.
Severity CVSS v4.0: Pending analysis
Last modification:
07/04/2025
Subscribe to Vulnerabilities