Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-55199

Publication date:
10/03/2025
A Stored Cross Site Scripting (XSS) vulnerability in Celk Sistemas Celk Saude v.3.1.252.1 allows a remote attacker to store JavaScript code inside a PDF file through the file upload feature. When the file is rendered, the injected code is executed on the user's browser.
Severity CVSS v4.0: Pending analysis
Last modification:
23/06/2025

CVE-2025-24813

Publication date:
10/03/2025
Path Equivalence: &amp;#39;file.Name&amp;#39; (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat.<br /> <br /> This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98.<br /> <br /> If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files:<br /> - writes enabled for the default servlet (disabled by default)<br /> - support for partial PUT (enabled by default)<br /> - a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads<br /> - attacker knowledge of the names of security sensitive files being uploaded<br /> - the security sensitive files also being uploaded via partial PUT<br /> <br /> If all of the following were true, a malicious user was able to perform remote code execution:<br /> - writes enabled for the default servlet (disabled by default)<br /> - support for partial PUT (enabled by default)<br /> - application was using Tomcat&amp;#39;s file based session persistence with the default storage location<br /> - application included a library that may be leveraged in a deserialization attack<br /> <br /> Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
03/04/2025

CVE-2025-25977

Publication date:
10/03/2025
An issue in canvg v.4.0.2 allows an attacker to execute arbitrary code via the Constructor of the class StyleElement.
Severity CVSS v4.0: Pending analysis
Last modification:
25/03/2025

CVE-2025-25382

Publication date:
10/03/2025
An issue in the Property Tax Payment Portal in Information Kerala Mission SANCHAYA v3.0.4 allows attackers to arbitrarily modify payment amounts via a crafted request.
Severity CVSS v4.0: Pending analysis
Last modification:
23/06/2025

CVE-2025-25940

Publication date:
10/03/2025
VisiCut 2.1 allows code execution via Insecure XML Deserialization in the loadPlfFile method of VisicutModel.java.
Severity CVSS v4.0: Pending analysis
Last modification:
23/06/2025

CVE-2024-47109

Publication date:
10/03/2025
IBM Sterling File Gateway 6.0.0.0 through 6.1.2.6 and 6.2.0.0 through 6.2.0.3 UI could disclosure the installation path of the server which could aid in further attacks against the system.
Severity CVSS v4.0: Pending analysis
Last modification:
10/03/2025

CVE-2024-52905

Publication date:
10/03/2025
IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.6 and 6.2.0.0 through 6.2.0.3 could disclose sensitive database information to a privileged user.
Severity CVSS v4.0: Pending analysis
Last modification:
10/03/2025

CVE-2025-26936

Publication date:
10/03/2025
Improper Control of Generation of Code (&amp;#39;Code Injection&amp;#39;) vulnerability in NotFound Fresh Framework allows Code Injection. This issue affects Fresh Framework: from n/a through 1.70.0.
Severity CVSS v4.0: Pending analysis
Last modification:
10/03/2025

CVE-2025-26916

Publication date:
10/03/2025
Improper Control of Filename for Include/Require Statement in PHP Program (&amp;#39;PHP Remote File Inclusion&amp;#39;) vulnerability in EPC Massive Dynamic. This issue affects Massive Dynamic: from n/a through 8.2.
Severity CVSS v4.0: Pending analysis
Last modification:
10/03/2025

CVE-2025-26933

Publication date:
10/03/2025
Improper Control of Filename for Include/Require Statement in PHP Program (&amp;#39;PHP Remote File Inclusion&amp;#39;) vulnerability in Nitin Prakash WC Place Order Without Payment allows PHP Local File Inclusion. This issue affects WC Place Order Without Payment: from n/a through 2.6.7.
Severity CVSS v4.0: Pending analysis
Last modification:
10/03/2025

CVE-2025-25614

Publication date:
10/03/2025
Incorrect Access Control in Unifiedtransform 2.0 leads to Privilege Escalation, which allows teachers to update the personal data of fellow teachers.
Severity CVSS v4.0: Pending analysis
Last modification:
23/06/2025

CVE-2025-25620

Publication date:
10/03/2025
Unifiedtransform 2.0 is vulnerable to Cross Site Scripting (XSS) in the Create assignment function.
Severity CVSS v4.0: Pending analysis
Last modification:
23/06/2025