Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-53348
Publication date:
21/03/2025
LoxiLB v.0.9.7 and before is vulnerable to Incorrect Access Control which allows attackers to obtain sensitive information and escalate privileges.
Severity CVSS v4.0: Pending analysis
Last modification:
01/04/2025

CVE-2019-16151
Publication date:
21/03/2025
An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiOS 6.4.1 and below, 6.2.9 and below may allow a remote unauthenticated attacker to either redirect users to malicious websites via a crafted "Host" header or to execute JavaScript code in the victim&amp;#39;s browser context.<br /> This happens when the FortiGate has web filtering and category override enabled/configured.
Severity CVSS v4.0: Pending analysis
Last modification:
21/03/2025

CVE-2025-2598
Publication date:
21/03/2025
When the AWS Cloud Development Kit (AWS CDK) Command Line Interface (AWS CDK CLI) is used with a credential plugin which returns an expiration property with the retrieved AWS credentials, the credentials are printed to the console output. To mitigate this issue, users should upgrade to version 2.178.2 or later and ensure any forked or derivative code is patched to incorporate the new fixes.
Severity CVSS v4.0: MEDIUM
Last modification:
21/03/2025

CVE-2025-30168
Publication date:
21/03/2025
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 7.5.2 and 8.0.2, the 3rd party authentication handling of Parse Server allows the authentication credentials of some specific authentication providers to be used across multiple Parse Server apps. For example, if a user signed up using the same authentication provider in two unrelated Parse Server apps, the credentials stored by one app can be used to authenticate the same user in the other app. Note that this only affects Parse Server apps that specifically use an affected 3rd party authentication provider for user authentication, for example by setting the Parse Server option auth to configure a Parse Server authentication adapter. The fix of this vulnerability requires to upgrade Parse Server to a version that includes the bug fix, as well as upgrade the client app to send a secure payload, which is different from the previous insecure payload. This vulnerability is fixed in 7.5.2 and 8.0.2.
Severity CVSS v4.0: Pending analysis
Last modification:
21/03/2025

CVE-2025-30157
Publication date:
21/03/2025
Envoy is a cloud-native high-performance edge/middle/service proxy. Prior to 1.33.1, 1.32.4, 1.31.6, and 1.30.10, Envoy&amp;#39;s ext_proc HTTP filter is at risk of crashing if a local reply is sent to the external server due to the filter&amp;#39;s life time issue. A known situation is the failure of a websocket handshake will trigger a local reply leading to the crash of Envoy. This vulnerability is fixed in 1.33.1, 1.32.4, 1.31.6, and 1.30.10.
Severity CVSS v4.0: Pending analysis
Last modification:
01/04/2025

CVE-2025-24915
Publication date:
21/03/2025
When installing Nessus Agent to a non-default location on a Windows host, Nessus Agent versions prior to 10.8.3 did not enforce secure permissions for sub-directories.  This could allow for local privilege escalation if users had not secured the directories in the non-default installation location.
Severity CVSS v4.0: Pending analysis
Last modification:
21/03/2025

CVE-2025-27612
Publication date:
21/03/2025
libcontainer is a library for container control. Prior to libcontainer 0.5.3, while creating a tenant container, the tenant builder accepts a list of capabilities to be added in the spec of tenant container. The logic here adds the given capabilities to all capabilities of main container if present in spec, otherwise simply set provided capabilities as capabilities of the tenant container. However, setting inherited caps in any case for tenant container can lead to elevation of capabilities, similar to CVE-2022-29162. This does not affect youki binary itself. This is only applicable if you are using libcontainer directly and using the tenant builder.
Severity CVSS v4.0: Pending analysis
Last modification:
21/03/2025

CVE-2025-2593
Publication date:
21/03/2025
A vulnerability has been found in FastCMS up to 0.1.5 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /api/client/article/list. The manipulation of the argument orderBy leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
01/04/2025

CVE-2025-29641
Publication date:
21/03/2025
Phpgurukul Vehicle Record Management System v1.0 is vulnerable to SQL Injection in /index.php via the &amp;#39;searchinputdata&amp;#39; parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
01/04/2025

CVE-2025-29640
Publication date:
21/03/2025
Phpgurukul Human Metapneumovirus (HMPV) – Testing Management System v1.0 is vulnerable to SQL Injection in /patient-report.php via the parameter searchdata..
Severity CVSS v4.0: Pending analysis
Last modification:
01/04/2025

CVE-2025-29927
Publication date:
21/03/2025
Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.
Severity CVSS v4.0: Pending analysis
Last modification:
08/04/2025

CVE-2021-25635
Publication date:
21/03/2025
An Improper Certificate Validation vulnerability in LibreOffice allowed <br /> an attacker to self sign an ODF document, with a signature untrusted by <br /> the target, then modify it to change the signature algorithm to an <br /> invalid (or unknown to LibreOffice) algorithm and LibreOffice would incorrectly present such a signature with an unknown algorithm as a <br /> valid signature issued by a trusted person<br /> <br /> <br /> This issue affects LibreOffice: from 7.0 before 7.0.5, from 7.1 before 7.1.1.
Severity CVSS v4.0: MEDIUM
Last modification:
21/03/2025
Subscribe to Vulnerabilities