Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-11281
Publication date:
05/10/2025
A vulnerability has been found in Frappe LMS 2.35.0. The affected element is an unknown function of the file /courses/ of the component Unpublished Course Handler. Such manipulation leads to improper access controls. The attack may be launched remotely. This attack is characterized by high complexity. The exploitability is described as difficult. The exploit has been disclosed to the public and may be used. You should upgrade the affected component. The vendor was informed early about a total of four security issues and confirmed that those have been fixed. However, the release notes on GitHub do not mention them.
Severity CVSS v4.0: LOW
Last modification:
07/10/2025

CVE-2025-11280
Publication date:
05/10/2025
A flaw has been found in Frappe LMS 2.35.0. Impacted is an unknown function of the file /files/ of the component Assignment Picture Handler. This manipulation causes direct request. The attack may be initiated remotely. The attack's complexity is rated as high. The exploitability is considered difficult. The exploit has been published and may be used. It is advisable to upgrade the affected component. The vendor was informed early about a total of four security issues and confirmed that those have been fixed. However, the release notes on GitHub do not mention them.
Severity CVSS v4.0: MEDIUM
Last modification:
07/10/2025

CVE-2025-11279
Publication date:
05/10/2025
A vulnerability was detected in Axosoft Scrum and Bug Tracking 22.1.1.11545. This issue affects some unknown processing of the component Add Work Item Page. The manipulation of the argument Title results in csv injection. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: MEDIUM
Last modification:
15/04/2026

CVE-2025-11278
Publication date:
05/10/2025
A security vulnerability has been detected in AllStarLink Supermon up to 6.2. This vulnerability affects unknown code of the component AllMon2. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. This vulnerability only affects products that are no longer supported by the maintainer.
Severity CVSS v4.0: MEDIUM
Last modification:
15/04/2026

CVE-2025-11277
Publication date:
05/10/2025
A weakness has been identified in Open Asset Import Library Assimp 6.0.2. This affects the function Q3DImporter::InternReadFile of the file assimp/code/AssetLib/Q3D/Q3DLoader.cpp. Executing a manipulation can lead to heap-based buffer overflow. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks.
Severity CVSS v4.0: MEDIUM
Last modification:
24/02/2026

CVE-2025-11276
Publication date:
05/10/2025
A security flaw has been discovered in Rebuild up to 4.1.3. Affected by this issue is some unknown functionality of the component Comment/Guestbook. Performing manipulation results in cross site scripting. It is possible to initiate the attack remotely. Upgrading to version 4.1.4 can resolve this issue. It is suggested to upgrade the affected component. According to the researcher the vendor has confirmed the flaw and fix in a private issue response.
Severity CVSS v4.0: MEDIUM
Last modification:
15/04/2026

CVE-2025-11274
Publication date:
05/10/2025
A vulnerability was determined in Open Asset Import Library Assimp 6.0.2. Affected is the function Q3DImporter::InternReadFile of the file assimp/code/AssetLib/Q3D/Q3DLoader.cpp. This manipulation causes allocation of resources. The attack is restricted to local execution. The exploit has been publicly disclosed and may be utilized.
Severity CVSS v4.0: MEDIUM
Last modification:
08/10/2025

CVE-2025-11275
Publication date:
05/10/2025
A vulnerability was identified in Open Asset Import Library Assimp 6.0.2. Affected by this vulnerability is the function ODDLParser::getNextSeparator in the library assimp/contrib/openddlparser/include/openddlparser/OpenDDLParserUtils.h. Such manipulation leads to heap-based buffer overflow. The attack must be carried out locally. The exploit is publicly available and might be used.
Severity CVSS v4.0: MEDIUM
Last modification:
08/10/2025

CVE-2025-11273
Publication date:
04/10/2025
A vulnerability was found in LaChatterie Verger up to 1.2.10. This impacts the function redirectToAuthorization of the file /src/main/services/mcp/oauth/provider.ts. The manipulation of the argument URL results in deserialization. The attack can be executed remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: MEDIUM
Last modification:
15/04/2026

CVE-2025-11272
Publication date:
04/10/2025
A vulnerability has been found in SeriaWei ZKEACMS up to 4.3. This affects the function Delete of the file src/ZKEACMS.Redirection/Controllers/UrlRedirectionController.cs of the component POST Request Handler. The manipulation leads to improper authorization. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: MEDIUM
Last modification:
15/04/2026

CVE-2023-53614
Publication date:
04/10/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/ksm: fix race with VMA iteration and mm_struct teardown<br /> <br /> exit_mmap() will tear down the VMAs and maple tree with the mmap_lock held<br /> in write mode. Ensure that the maple tree is still valid by checking<br /> ksm_test_exit() after taking the mmap_lock in read mode, but before the<br /> for_each_vma() iterator dereferences a destroyed maple tree.<br /> <br /> Since the maple tree is destroyed, the flags telling lockdep to check an<br /> external lock has been cleared. Skip the for_each_vma() iterator to avoid<br /> dereferencing a maple tree without the external lock flag, which would<br /> create a lockdep warning.
Severity CVSS v4.0: Pending analysis
Last modification:
17/03/2026

CVE-2023-53613
Publication date:
04/10/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dax: Fix dax_mapping_release() use after free<br /> <br /> A CONFIG_DEBUG_KOBJECT_RELEASE test of removing a device-dax region<br /> provider (like modprobe -r dax_hmem) yields:<br /> <br /> kobject: &amp;#39;mapping0&amp;#39; (ffff93eb460e8800): kobject_release, parent 0000000000000000 (delayed 2000)<br /> [..]<br /> DEBUG_LOCKS_WARN_ON(1)<br /> WARNING: CPU: 23 PID: 282 at kernel/locking/lockdep.c:232 __lock_acquire+0x9fc/0x2260<br /> [..]<br /> RIP: 0010:__lock_acquire+0x9fc/0x2260<br /> [..]<br /> Call Trace:<br /> <br /> [..]<br /> lock_acquire+0xd4/0x2c0<br /> ? ida_free+0x62/0x130<br /> _raw_spin_lock_irqsave+0x47/0x70<br /> ? ida_free+0x62/0x130<br /> ida_free+0x62/0x130<br /> dax_mapping_release+0x1f/0x30<br /> device_release+0x36/0x90<br /> kobject_delayed_cleanup+0x46/0x150<br /> <br /> Due to attempting ida_free() on an ida object that has already been<br /> freed. Devices typically only hold a reference on their parent while<br /> registered. If a child needs a parent object to complete its release it<br /> needs to hold a reference that it drops from its release callback.<br /> Arrange for a dax_mapping to pin its parent dev_dax instance until<br /> dax_mapping_release().
Severity CVSS v4.0: Pending analysis
Last modification:
17/03/2026
Subscribe to Vulnerabilities