Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-46059
Publication date:
29/07/2025
langchain-ai v0.3.51 was discovered to contain an indirect prompt injection vulnerability in the GmailToolkit component. This vulnerability allows attackers to execute arbitrary code and compromise the application via a crafted email message. NOTE: this is disputed by the Supplier because the code-execution issue was introduced by user-written code that does not adhere to the LangChain security practices.
Severity CVSS v4.0: Pending analysis
Last modification:
04/08/2025

CVE-2025-50738
Publication date:
29/07/2025
The Memos application, up to version v0.24.3, allows for the embedding of markdown images with arbitrary URLs. When a user views a memo containing such an image, their browser automatically fetches the image URL without explicit user consent or interaction beyond viewing the memo. This can be exploited by an attacker to disclose the viewing user's IP address, browser User-Agent string, and potentially other request-specific information to the attacker-controlled server, leading to information disclosure and user tracking.
Severity CVSS v4.0: Pending analysis
Last modification:
22/08/2025

CVE-2025-51970
Publication date:
29/07/2025
A SQL Injection vulnerability exists in the action.php endpoint of PuneethReddyHC Online Shopping System Advanced 1.0 due to improper sanitization of user-supplied input in the keyword POST parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
13/11/2025

CVE-2025-28172
Publication date:
29/07/2025
Grandstream Networks UCM6510 v1.0.20.52 and before is vulnerable to Improper Restriction of Excessive Authentication Attempts. An attacker can perform an arbitrary number of authentication attempts using different passwords and eventually gain access to the targeted account using a brute force attack.
Severity CVSS v4.0: Pending analysis
Last modification:
06/08/2025

CVE-2025-52358
Publication date:
29/07/2025
A cross-site scripting vulnerability in Vivaldi United Group iCONTROL+ Server including Firmware version 4.7.8.0.eden Logic version 5.32 and below. This issue allows attackers to inject JavaScript payloads within the error or edit-menu-item parameters which are then executed in the victim's browser session.
Severity CVSS v4.0: Pending analysis
Last modification:
06/08/2025

CVE-2024-42645
Publication date:
29/07/2025
An issue in FlashMQ v1.14.0 allows attackers to cause an assertion failure via sending a crafted retain message, leading to a Denial of Service (DoS).
Severity CVSS v4.0: Pending analysis
Last modification:
06/08/2025

CVE-2024-42644
Publication date:
29/07/2025
FlashMQ v1.14.0 was discovered to contain an assertion failure in the function PublishCopyFactory::getNewPublish, which occurs when the QoS value of the publish object is greater than 0.
Severity CVSS v4.0: Pending analysis
Last modification:
06/08/2025

CVE-2025-6504
Publication date:
29/07/2025
In HDP Server versions below 4.6.2.2978 on Linux, unauthorized access could occur via IP spoofing using the X-Forwarded-For header. <br /> <br /> Since XFF is a client-controlled header, it could be spoofed, allowing unauthorized access if the spoofed IP matched a whitelisted range.<br /> <br /> <br /> This vulnerability could be exploited to bypass IP restrictions, though valid user credentials would still be required for resource access.
Severity CVSS v4.0: Pending analysis
Last modification:
02/10/2025

CVE-2025-6505
Publication date:
29/07/2025
Unauthorized access and impersonation can occur in versions 4.6.2.3226 and below of Progress Software&amp;#39;s Hybrid Data Pipeline Server on Linux. This vulnerability allows attackers to combine credentials from different sources, potentially leading to client impersonation and unauthorized access.<br />  When OAuth Clients perform an OAuth handshake with the Hybrid Data Pipeline Server, the server accepts client credentials from both HTTP headers and request parameters.
Severity CVSS v4.0: Pending analysis
Last modification:
02/10/2025

CVE-2025-6060
Publication date:
29/07/2025
Improper Neutralization of Input During Web Page Generation (XSS or &amp;#39;Cross-site Scripting&amp;#39;) vulnerability in DECE Software Geodi allows Cross-Site Scripting (XSS).This issue affects Geodi: before GEODI Setup 9.0.146.
Severity CVSS v4.0: Pending analysis
Last modification:
29/07/2025

CVE-2025-6175
Publication date:
29/07/2025
Improper Neutralization of CRLF Sequences (&amp;#39;CRLF Injection&amp;#39;) vulnerability in DECE Software Geodi allows HTTP Request Splitting.This issue affects Geodi: before GEODI Setup 9.0.146.
Severity CVSS v4.0: Pending analysis
Last modification:
29/07/2025

CVE-2025-7458
Publication date:
29/07/2025
An integer overflow in the sqlite3KeyInfoFromExprList function in SQLite versions 3.39.2 through 3.41.1 allows an attacker with the ability to execute arbitrary SQL statements to cause a denial of service or disclose sensitive information from process memory via a crafted SELECT statement with a large number of expressions in the ORDER BY clause.
Severity CVSS v4.0: MEDIUM
Last modification:
11/08/2025
Subscribe to Vulnerabilities