Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-10695
Publication date:
03/10/2025
Two unauthenticated diagnostic endpoints allow arbitrary backend-initiated network connections to an attacker‑supplied destination. Both endpoints are exposed with permission =&gt; &amp;#39;any&amp;#39;, enabling unauthenticated SSRF for internal network scanning and service interaction.<br /> <br /> This issue affects OpenSupports: 4.11.0.
Severity CVSS v4.0: MEDIUM
Last modification:
22/12/2025

CVE-2025-10692
Publication date:
03/10/2025
The endpoint POST /api/staff/get-new-tickets concatenates the user-controlled parameter departmentId directly into the SQL WHERE clause without parameter binding. As a result, an authenticated staff user (level ≥ 1) can inject SQL to alter the filter logic, effectively bypassing department scoping and disclosing tickets beyond their intended access.This issue affects OpenSupports: 4.11.0.
Severity CVSS v4.0: HIGH
Last modification:
06/10/2025

CVE-2025-53354
Publication date:
03/10/2025
NiceGUI is a Python-based UI framework. Versions 2.24.2 and below are at risk for Cross-Site Scripting (XSS) when developers render unescaped user input into the DOM using ui.html(). NiceGUI did not enforce HTML or JavaScript sanitization, so applications that directly combine components like ui.input() with ui.html() or ui.chat_message with HTML content without escaping may allow attackers to execute arbitrary JavaScript in the user’s browser. Applications that do not pass untrusted input into ui.html() are not affected. This issue is fixed in version 3.0.0.
Severity CVSS v4.0: Pending analysis
Last modification:
06/10/2025

CVE-2025-59829
Publication date:
03/10/2025
Claude Code is an agentic coding tool. Versions below 1.0.120 failed to account for symlinks when checking permission deny rules. If a user explicitly denied Claude Code access to a file and Claude Code had access to a symlink pointing to that file, it was possible for Claude Code to access the file. Users on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates are advised to update to the latest version. This issue is fixed in version 1.0.120.
Severity CVSS v4.0: LOW
Last modification:
24/10/2025

CVE-2025-54374
Publication date:
03/10/2025
Eidos is an extensible framework for Personal Data Management. Versions 0.21.0 and below contain a one-click remote code execution vulnerability. An attacker can exploit this vulnerability by embedding a specially crafted eidos: URL on any website, including a malicious one they control. When a victim visits such a site or clicks on the link, the browser triggers the app’s custom URL handler (eidos:), causing the Eidos application to launch and process the URL, leading to remote code execution on the victim’s machine. This issue does not have a fix as of October 3, 2025
Severity CVSS v4.0: Pending analysis
Last modification:
24/10/2025

CVE-2025-49844
Publication date:
03/10/2025
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.
Severity CVSS v4.0: Pending analysis
Last modification:
12/11/2025

CVE-2025-57714
Publication date:
03/10/2025
An unquoted search path or element vulnerability has been reported to affect NetBak Replicator. If a local attacker gains a user account, they can then exploit the vulnerability to execute unauthorized code or commands.<br /> <br /> We have already fixed the vulnerability in the following version:<br /> NetBak Replicator 4.5.15.0807 and later
Severity CVSS v4.0: HIGH
Last modification:
08/12/2025

CVE-2025-54154
Publication date:
03/10/2025
An improper authentication vulnerability has been reported to affect QNAP Authenticator. If an attacker gains physical access, they can then exploit the vulnerability to compromise the security of the system.<br /> <br /> We have already fixed the vulnerability in the following version:<br /> QNAP Authenticator 1.3.1.1227 and later
Severity CVSS v4.0: MEDIUM
Last modification:
10/12/2025

CVE-2025-52862
Publication date:
03/10/2025
A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack.<br /> <br /> We have already fixed the vulnerability in the following versions:<br /> QTS 5.2.6.3195 build 20250715 and later<br /> QuTS hero h5.2.6.3195 build 20250715 and later
Severity CVSS v4.0: MEDIUM
Last modification:
08/10/2025

CVE-2025-52866
Publication date:
03/10/2025
A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack.<br /> <br /> We have already fixed the vulnerability in the following versions:<br /> QTS 5.2.6.3195 build 20250715 and later<br /> QuTS hero h5.2.6.3195 build 20250715 and later
Severity CVSS v4.0: MEDIUM
Last modification:
08/10/2025

CVE-2025-52867
Publication date:
03/10/2025
An uncontrolled resource consumption vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack.<br /> <br /> We have already fixed the vulnerability in the following version:<br /> Qsync Central 5.0.0.2 ( 2025/07/31 ) and later
Severity CVSS v4.0: MEDIUM
Last modification:
08/10/2025

CVE-2025-53406
Publication date:
03/10/2025
A use of externally-controlled format string vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to obtain secret data or modify memory.<br /> <br /> We have already fixed the vulnerability in the following versions:<br /> QTS 5.2.6.3195 build 20250715 and later<br /> QuTS hero h5.2.6.3195 build 20250715 and later
Severity CVSS v4.0: MEDIUM
Last modification:
08/10/2025
Subscribe to Vulnerabilities