Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-6770
Publication date:
08/07/2025
OS command injection in Ivanti Endpoint Manager Mobile (EPMM) before version 12.5.0.2 allows a remote authenticated attacker with high privileges to achieve remote code execution
Severity CVSS v4.0: Pending analysis
Last modification:
11/07/2025

CVE-2025-5463
Publication date:
08/07/2025
Insertion of sensitive information into a log file in Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Secure before version 22.7R1.5 allows a local authenticated attacker to obtain that information.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2025

CVE-2025-5450
Publication date:
08/07/2025
Improper access control in the certificate management component of Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Secure before version 22.7R1.5 allows a remote authenticated admin with read-only rights to modify settings that should be restricted.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2025

CVE-2025-5451
Publication date:
08/07/2025
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Secure before version 22.7R1.5 allows a remote authenticated attacker with admin rights to trigger a denial of service.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2025

CVE-2025-53372
Publication date:
08/07/2025
node-code-sandbox-mcp is a Node.js–based Model Context Protocol server that spins up disposable Docker containers to execute arbitrary JavaScript. Prior to 1.3.0, a command injection vulnerability exists in the node-code-sandbox-mcp MCP Server. The vulnerability is caused by the unsanitized use of input parameters within a call to child_process.execSync, enabling an attacker to inject arbitrary system commands. Successful exploitation can lead to remote code execution under the server process's privileges on the host machine, bypassing the sandbox protection of running code inside docker. This vulnerability is fixed in 1.3.0.
Severity CVSS v4.0: Pending analysis
Last modification:
08/07/2025

CVE-2025-53480
Publication date:
08/07/2025
The CheckUser extension’s Special:Investigate page has a vulnerability in the Account information tab, where specific internationalized messages are rendered without proper escaping. Attackers can exploit this by appending ?uselang=x-xss to the URL, causing reflected XSS when the UI renders affected message keys.<br /> <br /> <br /> <br /> <br /> This issue affects Mediawiki - CheckUser extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.
Severity CVSS v4.0: Pending analysis
Last modification:
08/07/2025

CVE-2025-53545
Publication date:
08/07/2025
Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS). Users can circumvent 2FA login for users due to a lack of server side validation for the same. This vulnerability is fixed in commit ddb439f8eb1816010f2ef653a908648b71f9bba8.
Severity CVSS v4.0: MEDIUM
Last modification:
08/07/2025

CVE-2025-36600
Publication date:
08/07/2025
Dell Client Platform BIOS contains an Improper Access Control Applied to Mirrored or Aliased Memory Regions vulnerability in an externally developed component. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
08/07/2025

CVE-2025-3630
Publication date:
08/07/2025
IBM Sterling B2B Integrator 6.0.0.0 through 6.1.2.6, 6.2.0.0 through 6.2.0.4, IBM Sterling File Gateway <br /> <br /> 6.0.0.0 through 6.1.2.6, and 6.2.0.0 through 6.2.0.4<br /> <br /> is vulnerable to stored cross-site scripting. This vulnerability allows authenticated users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Severity CVSS v4.0: Pending analysis
Last modification:
02/08/2025

CVE-2025-2827
Publication date:
08/07/2025
IBM Sterling File Gateway <br /> <br /> 6.0.0.0 through 6.1.2.6, and 6.2.0.0 through 6.2.0.4<br /> <br /> <br /> <br /> <br /> <br /> could disclose sensitive installation directory information to an authenticated user that could be used in further attacks against the system.
Severity CVSS v4.0: Pending analysis
Last modification:
02/08/2025

CVE-2025-2793
Publication date:
08/07/2025
IBM Sterling B2B Integrator 6.0.0.0 through 6.1.2.6, 6.2.0.0 through 6.2.0.4, IBM Sterling File Gateway <br /> <br /> 6.0.0.0 through 6.1.2.6, and 6.2.0.0 through 6.2.0.4<br /> <br /> <br /> <br /> is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Severity CVSS v4.0: Pending analysis
Last modification:
02/08/2025

CVE-2025-29267
Publication date:
08/07/2025
SQL Injection vulnerability in Abis, Inc Adjutant Core Accounting ERP build v.PreBeta250F allows a remote attacker to obtain a sensitive information via the cid parameter in the GET request.
Severity CVSS v4.0: Pending analysis
Last modification:
08/07/2025
Subscribe to Vulnerabilities