Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-13950
Publication date:
22/05/2025
Log injection vulnerabilities in ASPECT provide attacker access to inject malicious browser scripts if administrator credentials become compromised.This issue affects ASPECT-Enterprise: through 3.*; NEXUS Series: through 3.*; MATRIX Series: through 3.*.
Severity CVSS v4.0: MEDIUM
Last modification:
23/05/2025

CVE-2024-13951
Publication date:
22/05/2025
One way hash with predictable salt vulnerabilities in ASPECT may expose sensitive information to a potential attackerThis issue affects ASPECT-Enterprise: through 3.*; NEXUS Series: through 3.*; MATRIX Series: through 3.*.
Severity CVSS v4.0: MEDIUM
Last modification:
23/05/2025

CVE-2025-48066
Publication date:
22/05/2025
wire-webapp is the web application for the open-source messaging service Wire. A bug fix caused a regression causing an issue with function to delete local data. Instructing the client to delete its local database on user logout does not result in deletion. This is the case for both temporary clients (marking the device as a public computer on login) and regular clients instructing the deletion of all personal information and conversations upon logout. Access to the machine is required to access the data. If encryption-at-rest is used, cryptographic material can't be exported. The underlying issue has been fixed with wire-webapp version 2025-05-14-production.0. In order to mitigate potential impact, the database must be manually deleted on devices where the option "This is a public computer" was used prior to log in or a log out with the request to delete local data with the affected versions has happened before.
Severity CVSS v4.0: Pending analysis
Last modification:
30/05/2025

CVE-2025-48075
Publication date:
22/05/2025
Fiber is an Express-inspired web framework written in Go. Starting in version 2.52.6 and prior to version 2.52.7, `fiber.Ctx.BodyParser` can map flat data to nested slices using `key[idx]value` syntax, but when idx is negative, it causes a panic instead of returning an error stating it cannot process the data. Since this data is user-provided, this could lead to denial of service for anyone relying on this `fiber.Ctx.BodyParser` functionality. Version 2.52.7 fixes the issue.
Severity CVSS v4.0: HIGH
Last modification:
30/05/2025

CVE-2025-48366
Publication date:
22/05/2025
Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.119 and 25.0.20, a stored and blind XSS vulnerability exists in the Phone Number field of the user profile within the GroupOffice application. This allows a malicious actor to inject persistent JavaScript payloads, which are triggered in the context of another user when they view the Address Book. Successful exploitation enables actions such as forced redirects, unauthorized fetch requests, or other arbitrary JavaScript execution without user interaction. Versions 6.8.119 and 25.0.20 contain a fix for the issue.
Severity CVSS v4.0: MEDIUM
Last modification:
30/05/2025

CVE-2025-48368
Publication date:
22/05/2025
Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.119 and 25.0.20, a DOM-based Cross-Site Scripting (XSS) vulnerability exists in the GroupOffice application, allowing attackers to execute arbitrary JavaScript code in the context of the victim's browser. This can lead to session hijacking, defacement, or redirection to malicious sites. The vulnerability can be triggered by injecting a crafted payload into a parameter that is later processed unsafely in the DOM. Versions 6.8.119 and 25.0.20 contain a fix for the issue.
Severity CVSS v4.0: MEDIUM
Last modification:
30/05/2025

CVE-2025-48369
Publication date:
22/05/2025
Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.119 and 25.0.20, a persistent Cross-Site Scripting (XSS) vulnerability exists in Groupoffice's tasks comment functionality, allowing attackers to execute arbitrary JavaScript by uploading an file with a crafted filename. When administrators or other users view the task containing this malicious file, the payload executes in their browser context. The application fails to sanitize image filenames before rendering them in the comment. By uploading an image with a crafted filename containing XSS payloads, attackers can steal sensitive information. Versions 6.8.119 and 25.0.20 contain a fix for the issue.
Severity CVSS v4.0: MEDIUM
Last modification:
30/05/2025

CVE-2025-30172
Publication date:
22/05/2025
Remote Code Execution vulnerabilities are present in ASPECT if session administrator credentials become compromised<br /> This issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: through 3.08.03; MATRIX Series: through 3.08.03.
Severity CVSS v4.0: HIGH
Last modification:
23/05/2025

CVE-2025-30173
Publication date:
22/05/2025
File upload vulnerabilities are present in ASPECT if session administrator credentials become compromised<br /> This issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: through 3.08.03; MATRIX Series: through 3.08.03.
Severity CVSS v4.0: MEDIUM
Last modification:
23/05/2025

CVE-2025-2410
Publication date:
22/05/2025
Port manipulation vulnerabilities in ASPECT provide attackers with the ability to con-trol TCP/IP port access if session administrator credentials become compromised.<br /> This issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: through 3.08.03; MATRIX Series: through 3.08.03.
Severity CVSS v4.0: HIGH
Last modification:
23/05/2025

CVE-2025-30169
Publication date:
22/05/2025
File upload and execute vulnerabilities in ASPECT allow PHP script injection if session administrator credentials become compromised.<br /> This issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: through 3.08.03; MATRIX Series: through 3.08.03.
Severity CVSS v4.0: MEDIUM
Last modification:
23/05/2025

CVE-2025-30170
Publication date:
22/05/2025
Exposure of file path, file size or file existence vulnerabilities in ASPECT provide attackers access to file system information if session administrator credentials become compromised.<br /> This issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: through 3.08.03; MATRIX Series: through 3.08.03.
Severity CVSS v4.0: MEDIUM
Last modification:
23/05/2025
Subscribe to Vulnerabilities