Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-54951

Publication date:

07/08/2025

A group of related buffer overflow vulnerabilities in the loading of ExecuTorch models can cause the runtime to crash and potentially result in code execution or other undesirable effects. This issue affects ExecuTorch prior to commit cea9b23aa8ff78aff92829a466da97461cc7930c.

Severity CVSS v4.0: Pending analysis

Last modification:

12/08/2025

CVE-2025-54787

Publication date:

07/08/2025

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. There is a vulnerability in SuiteCRM version 7.14.6 which allows unauthenticated downloads of any file from the upload-directory, as long as it is named by an ID (e.g. attachments). An unauthenticated attacker could download internal files when he discovers a valid file-ID.<br /> Valid IDs could be brute-forced, but this is quite time-consuming as the file-IDs are usually UUIDs. This issue is fixed in version 7.14.7.

Severity CVSS v4.0: Pending analysis

Last modification:

12/08/2025

CVE-2025-8701

Publication date:

07/08/2025

A vulnerability was found in Wanzhou WOES Intelligent Optimization Energy Saving System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /OL_OprationLog/GetPageList. The manipulation of the argument optUser leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Severity CVSS v4.0: MEDIUM

Last modification:

03/09/2025

CVE-2025-8698

Publication date:

07/08/2025

A vulnerability was found in Open5GS up to 2.7.5. It has been classified as problematic. Affected is the function amf_nsmf_pdusession_handle_release_sm_context of the file src/amf/nsmf-handler.c of the component AMF Service. The manipulation leads to reachable assertion. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The name of the patch is 66bc558e417e70ae216ec155e4e81c14ae0ecf30. It is recommended to apply a patch to fix this issue.

Severity CVSS v4.0: MEDIUM

Last modification:

07/08/2025

CVE-2025-53767

Publication date:

07/08/2025

Azure OpenAI Elevation of Privilege Vulnerability

Severity CVSS v4.0: Pending analysis

Last modification:

14/08/2025

CVE-2025-53774

Publication date:

07/08/2025

Microsoft 365 Copilot BizChat Information Disclosure Vulnerability

Severity CVSS v4.0: Pending analysis

Last modification:

14/08/2025

CVE-2025-53787

Publication date:

07/08/2025

Microsoft 365 Copilot BizChat Information Disclosure Vulnerability

Severity CVSS v4.0: Pending analysis

Last modification:

14/08/2025

CVE-2025-53792

Publication date:

07/08/2025

Azure Portal Elevation of Privilege Vulnerability

Severity CVSS v4.0: Pending analysis

Last modification:

14/08/2025

CVE-2025-45765

Publication date:

07/08/2025

ruby-jwt v3.0.0.beta1 was discovered to contain weak encryption. NOTE: the Supplier&#39;s perspective is "keysize is not something that is enforced by this library. Currently more recent versions of OpenSSL are enforcing some key sizes and those restrictions apply to the users of this gem also."

Severity CVSS v4.0: Pending analysis

Last modification:

12/08/2025

CVE-2025-26513

Publication date:

07/08/2025

The installer for SAN Host Utilities for Windows versions prior to 8.0 is susceptible to a vulnerability which when successfully exploited could allow a local user to escalate their privileges.

Severity CVSS v4.0: Pending analysis

Last modification:

16/01/2026

CVE-2025-48709

Publication date:

07/08/2025

BMC Control-M/Server 9.0.21.300 displays cleartext database credentials in process lists and logs. An authenticated attacker with shell access could observe these credentials and use them to log in to the database server. For example, when Control-M/Server on Windows has a database connection on, it runs &#39;DBUStatus.exe&#39; frequently, which then calls &#39;dbu_connection_details.vbs&#39; with the username, password, database hostname, and port written in cleartext, which can be seen in event and process logs in two separate locations. Fixed in PACTV.9.0.21.307.

Severity CVSS v4.0: MEDIUM

Last modification:

18/12/2025

CVE-2025-47183

Publication date:

07/08/2025

In GStreamer through 1.26.1, the isomp4 plugin&#39;s qtdemux_parse_tree function may read past the end of a heap buffer while parsing an MP4 file, leading to information disclosure.

Severity CVSS v4.0: Pending analysis

Last modification:

12/08/2025

Subscribe to Vulnerabilities