Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-59403

Publication date:

02/10/2025

The Flock Safety Android Collins application (aka com.flocksafety.android.collins) 6.35.31 for Android lacks authentication. It is responsible for the camera feed on Falcon, Sparrow, and Bravo devices, but exposes administrative API endpoints on port 8080 without authentication. Endpoints include but are not limited to: /reboot, /logs, /crashpack, and /adb/enable. This results in multiple impacts including denial of service (DoS) via /reboot, information disclosure via /logs, and remote code execution (RCE) via /adb/enable. The latter specifically results in adb being started over TCP without debugging confirmation, providing an attacker in the LAN/WLAN with shell access.

Severity CVSS v4.0: Pending analysis

Last modification:

24/11/2025

CVE-2025-60660

Publication date:

02/10/2025

Tenda AC18 V15.03.05.19 was discovered to contain a stack overflow via the mac parameter in the fromAdvSetMacMtuWan function.

Severity CVSS v4.0: Pending analysis

Last modification:

07/10/2025

CVE-2025-60662

Publication date:

02/10/2025

Tenda AC18 V15.03.05.19 was discovered to contain a stack overflow via the wanSpeed parameter in the fromAdvSetMacMtuWan function.

Severity CVSS v4.0: Pending analysis

Last modification:

07/10/2025

CVE-2025-56162

Publication date:

02/10/2025

YOSHOP 2.0 suffers from an unauthenticated SQL injection in the goodsIds parameter of the /api/goods/listByIds endpoint. The getListByIds function concatenates user input into orderRaw(&#39;field(goods_id, ...)&#39;), allowing attackers to: (a) enumerate or modify database data, including dumping admin password hashes; (b) write web-shell files or invoke xp_cmdshell, leading to remote code execution on servers configured with sufficient DB privileges.

Severity CVSS v4.0: Pending analysis

Last modification:

30/10/2025

CVE-2025-57305

Publication date:

02/10/2025

VitaraCharts 5.3.5 is vulnerable to Server-Side Request Forgery in fileLoader.jsp.

Severity CVSS v4.0: Pending analysis

Last modification:

16/10/2025

CVE-2025-56161

Publication date:

02/10/2025

YOSHOP 2.0 allows unauthenticated information disclosure via comment-list API endpoints in the Goods module. The Comment model eagerly loads the related User model without field filtering; because User.php defines no $hidden or $visible attributes, sensitive fields (bcrypt password hash, mobile number, pay_money, expend_money.) are exposed in JSON responses. Route names vary per deployment (e.g. /api/goods.pinglun/list), but all call the same vulnerable model logic.

Severity CVSS v4.0: Pending analysis

Last modification:

30/10/2025

CVE-2025-56154

Publication date:

02/10/2025

htmly v3.0.8 is vulnerable to Cross Site Scripting (XSS) in the /author/:name endpoint of the affected application. The name parameter is not properly sanitized before being reflected in the HTML response, allowing attackers to inject arbitrary JavaScript payloads.

Severity CVSS v4.0: Pending analysis

Last modification:

20/01/2026

CVE-2025-60782

Publication date:

02/10/2025

PHP Education Manager v1.0 is vulnerable to Cross Site Scripting (XSS) stored Cross-Site Scripting (XSS) vulnerability in the topics management module (topics.php). Attackers can inject malicious JavaScript payloads into the Titlefield during topic creation or updates.

Severity CVSS v4.0: Pending analysis

Last modification:

07/10/2025

CVE-2025-61087

Publication date:

02/10/2025

SourceCodester Pet Grooming Management Software 1.0 is vulnerable to Cross Site Scripting (XSS) via the Customer Name field under Customer Management Section.

Severity CVSS v4.0: Pending analysis

Last modification:

07/10/2025

CVE-2025-61096

Publication date:

02/10/2025

PHPGurukul Online Shopping Portal Project v2.1 is vulnerable to SQL Injection in /shopping/login.php via the fullname parameter.

Severity CVSS v4.0: Pending analysis

Last modification:

07/10/2025

CVE-2025-59771

Publication date:

02/10/2025

Cross-site scripting (XSS) vulnerability reflected in AndSoft&#39;s e-TMS v25.03. This vulnerability allows an attacker to execute JavaScript code in the victim&#39;s browser by sending them a malicious URL. The relationship between parameter and assigned identifier is &#39;l, demo, demo2, TNTLOGIN, UO and SuppConn&#39; parameters in &#39;/clt/LOGINFRM_MRK.ASP&#39;.

Severity CVSS v4.0: MEDIUM

Last modification:

02/10/2025

CVE-2025-59772

Publication date:

02/10/2025

Severity CVSS v4.0: MEDIUM

Last modification:

02/10/2025

Subscribe to Vulnerabilities