Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-27824
Publication date:
07/03/2025
An XSS issue was discovered in the Link iframe formatter module before 1.x-1.1.1 for Backdrop CMS. It doesn't sufficiently sanitize input before displaying results to the screen. This vulnerability is mitigated by the fact that an attacker must have the ability to create content containing an iFrame field.
Severity CVSS v4.0: Pending analysis
Last modification:
07/03/2025

CVE-2025-27825
Publication date:
07/03/2025
An XSS issue was discovered in the Bootstrap 5 Lite theme before 1.x-1.0.3 for Backdrop CMS. It doesn't sufficiently sanitize certain class names.
Severity CVSS v4.0: Pending analysis
Last modification:
07/03/2025

CVE-2025-27826
Publication date:
07/03/2025
An XSS issue was discovered in the Bootstrap Lite theme before 1.x-1.4.5 for Backdrop CMS. It doesn't sufficiently sanitize certain class names.
Severity CVSS v4.0: Pending analysis
Last modification:
07/03/2025

CVE-2025-2093
Publication date:
07/03/2025
A vulnerability was found in PHPGurukul Online Library Management System 3.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /change-password.php. The manipulation of the argument email/phone number leads to weak password recovery. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: LOW
Last modification:
03/04/2025

CVE-2025-2094
Publication date:
07/03/2025
A vulnerability was found in TOTOLINK EX1800T 9.1.0cu.2112_B20220316. It has been rated as critical. Affected by this issue is the function setWiFiExtenderConfig of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument apcliKey/key leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
03/04/2025

CVE-2025-27822
Publication date:
07/03/2025
An issue was discovered in the Masquerade module before 1.x-1.0.1 for Backdrop CMS. It allows people to temporarily switch to another user account. The module provides a "Masquerade as admin" permission to restrict people (who can masquerade) from switching to an account with administrative privileges. This permission is not always honored and may allow non-administrative users to masquerade as an administrator. This vulnerability is mitigated by the fact that an attacker must have a role with the "Masquerade as user" permission.
Severity CVSS v4.0: Pending analysis
Last modification:
07/03/2025

CVE-2024-42733
Publication date:
07/03/2025
An issue in Docmosis Tornado v.2.9.7 and before allows a remote attacker to execute arbitrary code via a crafted script to the UNC path input
Severity CVSS v4.0: Pending analysis
Last modification:
23/06/2025

CVE-2025-2024
Publication date:
07/03/2025
Trimble SketchUp SKP File Parsing Uninitialized Variable Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Trimble SketchUp. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.<br /> <br /> The specific flaw exists within the parsing of SKP files. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-25210.
Severity CVSS v4.0: Pending analysis
Last modification:
07/03/2025

CVE-2025-26643
Publication date:
07/03/2025
The UI performs the wrong action in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.
Severity CVSS v4.0: Pending analysis
Last modification:
13/03/2025

CVE-2025-27604
Publication date:
07/03/2025
XWiki Confluence Migrator Pro helps admins to import confluence packages into their XWiki instance. The homepage of the application is public which enables a guest to download the package which might contain sensitive information. This vulnerability is fixed in 1.11.7.
Severity CVSS v4.0: Pending analysis
Last modification:
13/03/2025

CVE-2025-27607
Publication date:
07/03/2025
Python JSON Logger is a JSON Formatter for Python Logging. Between 30 December 2024 and 4 March 2025 Python JSON Logger was vulnerable to RCE through a missing dependency. This occurred because msgspec-python313-pre was deleted by the owner leaving the name open to being claimed by a third party. If the package was claimed, it would allow them RCE on any Python JSON Logger user who installed the development dependencies on Python 3.13 (e.g. pip install python-json-logger[dev]). This issue has been resolved with 3.3.0.
Severity CVSS v4.0: Pending analysis
Last modification:
01/07/2025

CVE-2025-0162
Publication date:
07/03/2025
IBM Aspera Shares 1.9.9 through 1.10.0 PL7 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote authenticated attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
Severity CVSS v4.0: Pending analysis
Last modification:
13/03/2025
Subscribe to Vulnerabilities