Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-31485

Publication date:
03/04/2025
API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Prior to 4.0.22 and 3.4.17, a GraphQL grant on a property might be cached with different objects. The ApiPlatform\GraphQl\Serializer\ItemNormalizer::isCacheKeySafe() method is meant to prevent the caching but the parent::normalize method that is called afterwards still creates the cache key and causes the issue. This vulnerability is fixed in 4.0.22 and 3.4.17.
Severity CVSS v4.0: Pending analysis
Last modification:
08/04/2025

CVE-2025-31161

Publication date:
03/04/2025
CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication bypass and takeover of the crushadmin account (unless a DMZ proxy instance is used), as exploited in the wild in March and April 2025, aka "Unauthenticated HTTP(S) port access." A race condition exists in the AWS4-HMAC (compatible with S3) authorization method of the HTTP component of the FTP server. The server first verifies the existence of the user by performing a call to login_user_pass() with no password requirement. This will authenticate the session through the HMAC verification process and up until the server checks for user verification once more. The vulnerability can be further stabilized, eliminating the need for successfully triggering a race condition, by sending a mangled AWS4-HMAC header. By providing only the username and a following slash (/), the server will successfully find a username, which triggers the successful anypass authentication process, but the server will fail to find the expected SignedHeaders entry, resulting in an index-out-of-bounds error that stops the code from reaching the session cleanup. Together, these issues make it trivial to authenticate as any known or guessable user (e.g., crushadmin), and can lead to a full compromise of the system by obtaining an administrative account.
Severity CVSS v4.0: Pending analysis
Last modification:
21/04/2025

CVE-2025-29504

Publication date:
03/04/2025
Insecure Permission vulnerability in student-manage 1 allows a local attacker to escalate privileges via the Unsafe permission verification.
Severity CVSS v4.0: Pending analysis
Last modification:
07/04/2025

CVE-2025-29570

Publication date:
03/04/2025
An issue in Shenzhen Libituo Technology Co., Ltd LBT-T300-T400 v3.2 allows a local attacker to escalate privileges via the function tftp_image_check of a binary named rc.
Severity CVSS v4.0: Pending analysis
Last modification:
07/04/2025

CVE-2025-29462

Publication date:
03/04/2025
A buffer overflow vulnerability has been discovered in Tenda Ac15 V15.13.07.13. The vulnerability occurs when the webCgiGetUploadFile function calls the socketRead function to process HTTP request messages, resulting in the overwriting of a buffer on the stack.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2025

CVE-2025-30406

Publication date:
03/04/2025
Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.56368) has a deserialization vulnerability due to the CentreStack portal's hardcoded machineKey use, as exploited in the wild in March 2025. This enables threat actors (who know the machineKey) to serialize a payload for server-side deserialization to achieve remote code execution. NOTE: a CentreStack admin can manually delete the machineKey defined in portal\web.config.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2025

CVE-2025-29064

Publication date:
03/04/2025
An issue in TOTOLINK x18 v.9.1.0cu.2024_B20220329 allows a remote attacker to execute arbitrary code via the sub_410E54 function of the cstecgi.cgi.
Severity CVSS v4.0: Pending analysis
Last modification:
29/04/2025

CVE-2024-45198

Publication date:
03/04/2025
insightsoftware Spark JDBC 2.6.21 has a remote code execution vulnerability. Attackers can inject malicious parameters into the JDBC URL, triggering JNDI injection during the process when the JDBC Driver uses this URL to connect to the database. This can further lead to remote code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
07/04/2025

CVE-2025-26818

Publication date:
03/04/2025
Netwrix Password Secure through 9.2 allows command injection.
Severity CVSS v4.0: Pending analysis
Last modification:
08/04/2025

CVE-2025-26817

Publication date:
03/04/2025
Netwrix Password Secure 9.2.0.32454 allows OS command injection.
Severity CVSS v4.0: Pending analysis
Last modification:
28/05/2025

CVE-2025-3174

Publication date:
03/04/2025
A vulnerability has been found in Project Worlds Online Lawyer Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /searchLawyer.php. The manipulation of the argument experience leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
23/04/2025

CVE-2025-3175

Publication date:
03/04/2025
A vulnerability was found in Project Worlds Online Lawyer Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /save_user_edit_profile.php. The manipulation of the argument first_Name leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
15/05/2025