Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-30483

Publication date:

15/07/2025

Dell ECS versions prior to 3.8.1.5/ ObjectScale version 4.0.0.0 contains an Insertion of Sensitive Information into Log File vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information disclosure.

Severity CVSS v4.0: Pending analysis

Last modification:

02/08/2025

CVE-2025-33097

Publication date:

15/07/2025

IBM QRadar SIEM 7.5 - 7.5.0 UP12 IF02 is vulnerable to stored cross-site scripting. This vulnerability allows authenticated users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

Severity CVSS v4.0: Pending analysis

Last modification:

07/08/2025

CVE-2025-52377

Publication date:

15/07/2025

Command injection vulnerability in Nexxt Solutions NCM-X1800 Mesh Router versions UV1.2.7 and below, allowing authenticated attackers to execute arbitrary commands on the device. The vulnerability is present in the web management interface&#39;s ping and traceroute functionality, specifically in the /web/um_ping_set.cgi endpoint. The application fails to properly sanitize user input in the `Ping_host_text` parameter before passing it to the underlying system command, allowing attackers to inject and execute arbitrary shell commands as the root user.

Severity CVSS v4.0: Pending analysis

Last modification:

15/07/2025

CVE-2025-48795

Publication date:

15/07/2025

Apache CXF stores large stream based messages as temporary files on the local filesystem. A bug was introduced which means that the entire temporary file is read into memory and then logged. An attacker might be able to exploit this to cause a denial of service attack by causing an out of memory exception. In addition, it is possible to configure CXF to encrypt temporary files to prevent sensitive credentials from being cached unencrypted on the local filesystem, however this bug means that the cached files are written out to logs unencrypted.<br /> <br /> Users are recommended to upgrade to versions 3.5.11, 3.6.6, 4.0.7 or 4.1.1, which fixes this issue.

Severity CVSS v4.0: Pending analysis

Last modification:

04/11/2025

CVE-2025-6965

Publication date:

15/07/2025

There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns available. This could lead to a memory corruption issue. We recommend upgrading to version 3.50.2 or above.

Severity CVSS v4.0: HIGH

Last modification:

04/11/2025

CVE-2025-52376

Publication date:

15/07/2025

An authentication bypass vulnerability in the /web/um_open_telnet.cgi endpoint in Nexxt Solutions NCM-X1800 Mesh Router firmware UV1.2.7 and below, allowing an attacker to remotely enable the Telnet service without authentication, bypassing security controls. The Telnet server is then accessible with hard-coded credentials, allowing attackers to gain administrative shell access and execute arbitrary commands on the device.

Severity CVSS v4.0: Pending analysis

Last modification:

15/07/2025

CVE-2025-34116

Publication date:

15/07/2025

A remote command execution vulnerability exists in IPFire before version 2.19 Core Update 101 via the &#39;proxy.cgi&#39; CGI interface. An authenticated attacker can inject arbitrary shell commands through crafted values in the NCSA user creation form fields, leading to command execution with web server privileges.

Severity CVSS v4.0: HIGH

Last modification:

15/07/2025

CVE-2025-34112

Publication date:

15/07/2025

An authenticated multi-stage remote code execution vulnerability exists in Riverbed SteelCentral NetProfiler and NetExpress 10.8.7 virtual appliances. A SQL injection vulnerability in the &#39;/api/common/1.0/login&#39; endpoint can be exploited to create a new user account in the appliance database. This user can then trigger a command injection vulnerability in the &#39;/index.php?page=licenses&#39; endpoint to execute arbitrary commands. The attacker may escalate privileges to root by exploiting an insecure sudoers configuration that allows the &#39;mazu&#39; user to execute arbitrary commands as root via SSH key extraction and command chaining. Successful exploitation allows full remote root access to the virtual appliance.

Severity CVSS v4.0: CRITICAL

Last modification:

15/07/2025

CVE-2025-34113

Publication date:

15/07/2025

An authenticated command injection vulnerability exists in Tiki Wiki CMS versions ≤14.1, ≤12.4 LTS, ≤9.10 LTS, and ≤6.14 via the `viewmode` GET parameter in `tiki-calendar.php`. When the calendar module is enabled and an authenticated user has permission to access it, an attacker can inject and execute arbitrary PHP code. Successful exploitation leads to remote code execution in the context of the web server user.

Severity CVSS v4.0: HIGH

Last modification:

15/07/2025

CVE-2025-34115

Publication date:

15/07/2025

An authenticated command injection vulnerability exists in OP5 Monitor through version 7.1.9 via the &#39;cmd_str&#39; parameter in the command_test.php endpoint. A user with access to the web interface can exploit the &#39;Test this command&#39; feature to execute arbitrary shell commands as the unprivileged web application user. The vulnerability resides in the configuration section of the application and requires valid login credentials with access to the command testing functionality. This issue is fixed in version 7.2.0.

Severity CVSS v4.0: HIGH

Last modification:

15/07/2025

CVE-2025-34106

Publication date:

15/07/2025

A buffer overflow vulnerability exists in PDF Shaper versions 3.5 and 3.6 when converting a crafted PDF file to an image using the &#39;Convert PDF to Image&#39; functionality. An attacker can exploit this vulnerability by tricking a user into opening a maliciously crafted PDF file, leading to arbitrary code execution under the context of the user. This vulnerability has been verified on Windows XP, 7, 8, and 10 platforms using the PDFTools.exe component.

Severity CVSS v4.0: HIGH

Last modification:

15/07/2025

CVE-2025-34107

Publication date:

15/07/2025

A buffer overflow vulnerability exists in the WinaXe FTP Client version 7.7 within the FTP banner parsing functionality, WCMDPA10.dll. When the client connects to a remote FTP server and receives an overly long &#39;220 Server Ready&#39; response, the vulnerable component responsible for parsing the banner overflows a stack buffer, leading to arbitrary code execution under the context of the user.

Severity CVSS v4.0: HIGH

Last modification:

15/07/2025

Subscribe to Vulnerabilities