Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-6965

Publication date:

15/07/2025

There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns available. This could lead to a memory corruption issue. We recommend upgrading to version 3.50.2 or above.

Severity CVSS v4.0: HIGH

Last modification:

04/11/2025

CVE-2025-52376

Publication date:

15/07/2025

An authentication bypass vulnerability in the /web/um_open_telnet.cgi endpoint in Nexxt Solutions NCM-X1800 Mesh Router firmware UV1.2.7 and below, allowing an attacker to remotely enable the Telnet service without authentication, bypassing security controls. The Telnet server is then accessible with hard-coded credentials, allowing attackers to gain administrative shell access and execute arbitrary commands on the device.

Severity CVSS v4.0: Pending analysis

Last modification:

15/07/2025

CVE-2025-34116

Publication date:

15/07/2025

A remote command execution vulnerability exists in IPFire before version 2.19 Core Update 101 via the &#39;proxy.cgi&#39; CGI interface. An authenticated attacker can inject arbitrary shell commands through crafted values in the NCSA user creation form fields, leading to command execution with web server privileges.

Severity CVSS v4.0: HIGH

Last modification:

15/07/2025

CVE-2025-34112

Publication date:

15/07/2025

An authenticated multi-stage remote code execution vulnerability exists in Riverbed SteelCentral NetProfiler and NetExpress 10.8.7 virtual appliances. A SQL injection vulnerability in the &#39;/api/common/1.0/login&#39; endpoint can be exploited to create a new user account in the appliance database. This user can then trigger a command injection vulnerability in the &#39;/index.php?page=licenses&#39; endpoint to execute arbitrary commands. The attacker may escalate privileges to root by exploiting an insecure sudoers configuration that allows the &#39;mazu&#39; user to execute arbitrary commands as root via SSH key extraction and command chaining. Successful exploitation allows full remote root access to the virtual appliance.

Severity CVSS v4.0: CRITICAL

Last modification:

15/07/2025

CVE-2025-34113

Publication date:

15/07/2025

An authenticated command injection vulnerability exists in Tiki Wiki CMS versions ≤14.1, ≤12.4 LTS, ≤9.10 LTS, and ≤6.14 via the `viewmode` GET parameter in `tiki-calendar.php`. When the calendar module is enabled and an authenticated user has permission to access it, an attacker can inject and execute arbitrary PHP code. Successful exploitation leads to remote code execution in the context of the web server user.

Severity CVSS v4.0: HIGH

Last modification:

15/07/2025

CVE-2025-34115

Publication date:

15/07/2025

An authenticated command injection vulnerability exists in OP5 Monitor through version 7.1.9 via the &#39;cmd_str&#39; parameter in the command_test.php endpoint. A user with access to the web interface can exploit the &#39;Test this command&#39; feature to execute arbitrary shell commands as the unprivileged web application user. The vulnerability resides in the configuration section of the application and requires valid login credentials with access to the command testing functionality. This issue is fixed in version 7.2.0.

Severity CVSS v4.0: HIGH

Last modification:

15/07/2025

CVE-2025-34106

Publication date:

15/07/2025

A buffer overflow vulnerability exists in PDF Shaper versions 3.5 and 3.6 when converting a crafted PDF file to an image using the &#39;Convert PDF to Image&#39; functionality. An attacker can exploit this vulnerability by tricking a user into opening a maliciously crafted PDF file, leading to arbitrary code execution under the context of the user. This vulnerability has been verified on Windows XP, 7, 8, and 10 platforms using the PDFTools.exe component.

Severity CVSS v4.0: HIGH

Last modification:

15/07/2025

CVE-2025-34107

Publication date:

15/07/2025

A buffer overflow vulnerability exists in the WinaXe FTP Client version 7.7 within the FTP banner parsing functionality, WCMDPA10.dll. When the client connects to a remote FTP server and receives an overly long &#39;220 Server Ready&#39; response, the vulnerable component responsible for parsing the banner overflows a stack buffer, leading to arbitrary code execution under the context of the user.

Severity CVSS v4.0: HIGH

Last modification:

15/07/2025

CVE-2025-34108

Publication date:

15/07/2025

A stack-based buffer overflow vulnerability exists in the login functionality of Disk Pulse Enterprise version 9.0.34. An attacker can send a specially crafted HTTP POST request to the /login endpoint with an overly long username parameter, causing a buffer overflow in the libspp.dll component. Successful exploitation allows arbitrary code execution with SYSTEM privileges.

Severity CVSS v4.0: HIGH

Last modification:

15/07/2025

CVE-2025-34105

Publication date:

15/07/2025

A stack-based buffer overflow vulnerability exists in the built-in web interface of DiskBoss Enterprise versions 7.4.28, 7.5.12, and 8.2.14. The vulnerability arises from improper bounds checking on the path component of HTTP GET requests. By sending a specially crafted long URI, a remote unauthenticated attacker can trigger a buffer overflow, potentially leading to arbitrary code execution with SYSTEM privileges on vulnerable Windows hosts.

Severity CVSS v4.0: CRITICAL

Last modification:

15/07/2025

CVE-2025-34109

Publication date:

15/07/2025

PSEvents.exe in multiple Panda Security products runs hourly with SYSTEM privileges and loads DLL files from a user-writable directory without proper validation. An attacker with low-privileged access who can write DLL files to the monitored directory can achieve arbitrary code execution with SYSTEM privileges. Affected products include Panda Global Protection 2016, Panda Antivirus Pro 2016, Panda Small Business Protection, and Panda Internet Security 2016 (all versions up to 16.1.2).

Severity CVSS v4.0: HIGH

Last modification:

15/07/2025

CVE-2025-34110

Publication date:

15/07/2025

A directory traversal vulnerability exists in ColoradoFTP Server ≤ 1.3 Build 8 for Windows, allowing unauthenticated attackers to read or write arbitrary files outside the configured FTP root directory. The flaw is due to insufficient sanitation of user-supplied file paths in the FTP GET and PUT command handlers. Exploitation is possible by submitting traversal sequences during FTP operations, enabling access to system-sensitive files. This issue affects only the Windows version of ColoradoFTP.

Severity CVSS v4.0: CRITICAL

Last modification:

15/07/2025

Subscribe to Vulnerabilities