Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-45619
Publication date:
30/07/2025
An issue in Aver PTC310UV2 firmware v.0.1.0000.59 allows a remote attacker to execute arbitrary code via the SendAction function
Severity CVSS v4.0: Pending analysis
Last modification:
06/08/2025

CVE-2025-45620
Publication date:
30/07/2025
An issue in Aver PTC310UV2 v.0.1.0000.59 allows a remote attacker to obtain sensitive information via a crafted request
Severity CVSS v4.0: Pending analysis
Last modification:
06/08/2025

CVE-2025-36611
Publication date:
30/07/2025
Dell Encryption and Dell Security Management Server, versions prior to 11.11.0, contain an Improper Link Resolution Before File Access ('Link Following') Vulnerability. A local malicious user could potentially exploit this vulnerability, leading to privilege escalation.
Severity CVSS v4.0: Pending analysis
Last modification:
14/01/2026

CVE-2024-45955
Publication date:
30/07/2025
Rocket Software Rocket Zena 4.4.1.26 is vulnerable to SQL Injection via the filter parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
06/08/2025

CVE-2025-8312
Publication date:
30/07/2025
Deadlock in PAM automatic check-in feature in Devolutions Server allows a password to remain valid beyond the end of its intended check-out period due to a deadlock occurring in the scheduling service.This issue affects the following version(s) :<br /> <br /> * <br /> Devolutions Server 2025.2.2.0 through 2025.2.5.0<br /> * Devolutions Server 2025.1.12.0 and earlier
Severity CVSS v4.0: Pending analysis
Last modification:
19/08/2025

CVE-2025-8353
Publication date:
30/07/2025
UI synchronization issue in the Just-in-Time (JIT) access request approval interface in Devolutions Server 2025.2.4.0 and earlier allows a remote authenticated attacker to gain unauthorized access to deleted JIT Groups via stale UI state during standard checkout request processing.
Severity CVSS v4.0: Pending analysis
Last modification:
06/08/2025

CVE-2025-50578
Publication date:
30/07/2025
LinuxServer.io heimdall 2.6.3-ls307 contains a vulnerability in how it handles user-supplied HTTP headers, specifically `X-Forwarded-Host` and `Referer`. An unauthenticated remote attacker can manipulate these headers to perform Host Header Injection and Open Redirect attacks. This allows the loading of external resources from attacker-controlled domains and unintended redirection of users, potentially enabling phishing, UI redress, and session theft. The vulnerability exists due to insufficient validation and trust of untrusted input, affecting the integrity and trustworthiness of the application.
Severity CVSS v4.0: Pending analysis
Last modification:
25/08/2025

CVE-2025-54656
Publication date:
30/07/2025
** UNSUPPORTED WHEN ASSIGNED ** Improper Output Neutralization for Logs vulnerability in Apache Struts.<br /> <br /> This issue affects Apache Struts Extras: before 2.<br /> <br /> When using LookupDispatchAction, in some cases, Struts may print untrusted input to the logs without any filtering. Specially-crafted input may lead to log output where part of the message masquerades as a separate log line, confusing consumers of the logs (either human or automated). <br /> <br /> As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.<br /> <br /> NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2025

CVE-2023-2593
Publication date:
30/07/2025
A flaw exists within the Linux kernel&amp;#39;s handling of new TCP connections. The issue results from the lack of memory release after its effective lifetime. This vulnerability allows an unauthenticated attacker to create a denial of service condition on the system.
Severity CVSS v4.0: Pending analysis
Last modification:
20/11/2025

CVE-2025-53357
Publication date:
30/07/2025
GLPI, which stands for Gestionnaire Libre de Parc Informatique, is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 0.78 through 10.0.18, a connected user can alter the reservations of another user. This is fixed in version 10.0.19.
Severity CVSS v4.0: Pending analysis
Last modification:
04/08/2025

CVE-2025-53944
Publication date:
30/07/2025
AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents. In v0.6.15 and below, the external API&amp;#39;s get_graph_execution_results endpoint has an authorization bypass vulnerability. While it correctly validates user access to the graph_id, it fails to verify ownership of the graph_exec_id parameter, allowing authenticated users to access any execution results by providing arbitrary execution IDs. The internal API implements proper validation for both parameters. This is fixed in v0.6.16.
Severity CVSS v4.0: Pending analysis
Last modification:
05/08/2025

CVE-2025-54433
Publication date:
30/07/2025
Bugsink is a self-hosted error tracking service. In versions 1.4.2 and below, 1.5.0 through 1.5.4, 1.6.0 through 1.6.3, and 1.7.0 through 1.7.3, ingestion paths construct file locations directly from untrusted event_id input without validation. A specially crafted event_id can result in paths outside the intended directory, potentially allowing file overwrite or creation in arbitrary locations. Submitting such input requires access to a valid DSN, potentially exposing them. If Bugsink runs in a container, the effect is confined to the container’s filesystem. In non-containerized setups, the overwrite may affect other parts of the system accessible to that user. This is fixed in versions 1.4.3, 1.5.5, 1.6.4 and 1.7.4.
Severity CVSS v4.0: HIGH
Last modification:
31/07/2025
Subscribe to Vulnerabilities