Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-48474
Publication date:
29/05/2025
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, the application incorrectly checks user access rights for conversations. Users with show_only_assigned_conversations enabled can assign themselves to an arbitrary conversation from the mailbox to which they have access, thereby bypassing the restriction on viewing conversations. This issue has been patched in version 1.8.180.
Severity CVSS v4.0: MEDIUM
Last modification:
02/07/2025

CVE-2025-45474
Publication date:
29/05/2025
maccms10 v2025.1000.4047 is vulnerable to Server-side request forgery (SSRF) in Email Settings.
Severity CVSS v4.0: Pending analysis
Last modification:
19/06/2025

CVE-2025-48389
Publication date:
29/05/2025
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.178, FreeScout is vulnerable to deserialization of untrusted data due to insufficient validation. Through the set function, a string with a serialized object can be passed, and when getting an option through the get method, deserialization will occur, which will allow arbitrary code execution This issue has been patched in version 1.8.178.
Severity CVSS v4.0: HIGH
Last modification:
11/07/2025

CVE-2025-48390
Publication date:
29/05/2025
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.178, FreeScout is vulnerable to code injection due to insufficient validation of user input in the php_path parameter. The backticks characters are not removed, as well as tabulation is not removed. When checking user input, the file_exists function is also called to check for the presence of such a file (folder) in the file system. A user with the administrator role can create a translation for the language, which will create a folder in the file system. Further in tools.php, the user can specify the path to this folder as php_path, which will lead to the execution of code in backticks. This issue has been patched in version 1.8.178.
Severity CVSS v4.0: HIGH
Last modification:
11/07/2025

CVE-2025-48471
Publication date:
29/05/2025
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.179, the application does not check or performs insufficient checking of files uploaded to the application. This allows files to be uploaded with the phtml and phar extensions, which can lead to remote code execution if the Apache web server is used. This issue has been patched in version 1.8.179.
Severity CVSS v4.0: HIGH
Last modification:
10/06/2025

CVE-2025-48472
Publication date:
29/05/2025
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.179, there is no check to ensure that the user is disabling notifications for the mailbox to which they already have access. Moreover, the code explicitly implements functionality that if the user does not have access to the mailbox, then after disabling (enabling) notifications for this mailbox, the user will gain access to it. This issue has been patched in version 1.8.179.
Severity CVSS v4.0: MEDIUM
Last modification:
10/06/2025

CVE-2025-3913
Publication date:
29/05/2025
Mattermost versions 10.7.x
Severity CVSS v4.0: Pending analysis
Last modification:
03/10/2025

CVE-2025-4081
Publication date:
29/05/2025
Use of entitlement "com.apple.security.cs.disable-library-validation" and lack of launch and library load constraints allows to substitute a legitimate dylib with malicious one. A local attacker with unprivileged access can execute the application with altered dynamic library successfully bypassing Transparency, Consent, and Control (TCC). Acquired resource access is limited to previously granted permissions by the user. Access to other resources beyond granted-permissions requires user interaction with a system prompt asking for permission.<br /> <br /> This issue affects DaVinci Resolve on macOS in all versions.<br /> Last tested version: 19.1.3
Severity CVSS v4.0: MEDIUM
Last modification:
30/05/2025

CVE-2025-5321
Publication date:
29/05/2025
A vulnerability classified as critical was found in aimhubio aim up to 3.29.1. This vulnerability affects the function RestrictedPythonQuery of the file /aim/storage/query.py of the component run_view Object Handler. The manipulation of the argument Abfrage leads to erweiterte Rechte. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: MEDIUM
Last modification:
19/09/2025

CVE-2025-5334
Publication date:
29/05/2025
Exposure of private personal information to an unauthorized actor in the user vaults component of Devolutions Remote Desktop Manager<br /> allows an authenticated user to gain unauthorized access to private personal information. <br /> <br /> <br /> <br /> Under specific circumstances, entries may be unintentionally moved from user vaults to shared vaults when edited by their owners, making them accessible to other users.<br /> <br /> <br /> <br /> <br /> This issue affects the following versions :<br /> <br /> * Remote Desktop Manager Windows 2025.1.34.0 and earlier<br /> * <br /> Remote Desktop Manager macOS 2025.1.16.3 and earlier<br /> <br /> <br /> <br /> * <br /> Remote Desktop Manager Android 2025.1.3.3 and earlier<br /> * <br /> Remote Desktop Manager iOS 2025.1.6.0 and earlier
Severity CVSS v4.0: Pending analysis
Last modification:
02/07/2025

CVE-2025-48748
Publication date:
29/05/2025
Netwrix Directory Manager (formerly Imanami GroupID) through v.10.0.7784.0 has a hard-coded password.
Severity CVSS v4.0: Pending analysis
Last modification:
23/06/2025

CVE-2024-22653
Publication date:
29/05/2025
yasm commit 9defefae was discovered to contain a NULL pointer dereference via the yasm_section_bcs_append function at section.c.
Severity CVSS v4.0: Pending analysis
Last modification:
18/06/2025
Subscribe to Vulnerabilities