Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-53104
Publication date:
01/07/2025
gluestack-ui is a library of copy-pasteable components & patterns crafted with Tailwind CSS (NativeWind). Prior to commit e6b4271, a command injection vulnerability was discovered in the discussion-to-slack.yml GitHub Actions workflow. Untrusted discussion fields (title, body, etc.) were directly interpolated into shell commands in a run: block. An attacker could craft a malicious GitHub Discussion title or body (e.g., $(curl ...)) to execute arbitrary shell commands on the Actions runner. This issue has been fixed in commit e6b4271 where the discussion-to-slack.yml workflow was removed. Users should remove the discussion-to-slack.yml workflow if using a fork or derivative of this repository.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2025

CVE-2025-27153
Publication date:
01/07/2025
Escalade GLPI plugin is a ticket escalation process helper for GLPI. Prior to version 2.9.11, there is an improper access control vulnerability. This can lead to data exposure and workflow disruptions. This issue has been patched in version 2.9.11.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2025

CVE-2025-53100
Publication date:
01/07/2025
RestDB's Codehooks.io MCP Server is an MCP server on the Codehooks.io platform. Prior to version 0.2.2, the MCP server is written in a way that is vulnerable to command injection attacks as part of some of its MCP Server tools definition and implementation. This could result in a user initiated remote command injection attack on a running MCP Server. This issue has been patched in version 0.2.2.
Severity CVSS v4.0: HIGH
Last modification:
03/07/2025

CVE-2025-53103
Publication date:
01/07/2025
JUnit is a testing framework for Java and the JVM. From version 5.12.0 to 5.13.1, JUnit's support for writing Open Test Reporting XML files can leak Git credentials. The impact depends on the level of the access token exposed through the OpenTestReportGeneratingListener. If these test reports are published or stored anywhere public, then there is the possibility that a rouge attacker can steal the token and perform elevated actions by impersonating the user or app. This issue as been patched in version 5.13.2.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2025

CVE-2025-53107
Publication date:
01/07/2025
@cyanheads/git-mcp-server is an MCP server designed to interact with Git repositories. Prior to version 2.1.5, there is a command injection vulnerability caused by the unsanitized use of input parameters within a call to child_process.exec, enabling an attacker to inject arbitrary system commands. Successful exploitation can lead to remote code execution under the server process's privileges. The server constructs and executes shell commands using unvalidated user input directly within command-line strings. This introduces the possibility of shell metacharacter injection (|, >, &&, etc.). An MCP Client can be instructed to execute additional actions for example via indirect prompt injection when asked to read git logs. This issue has been patched in version 2.1.5.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2025

CVE-2025-45081
Publication date:
01/07/2025
Misconfigured settings in IITB SSO v1.1.0 allow attackers to access sensitive application data.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2025

CVE-2025-45083
Publication date:
01/07/2025
Incorrect access control in Ullu (Android version v2.9.929 and IOS version v2.8.0) allows attackers to bypass parental pin feature via unspecified vectors.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2025

CVE-2025-52294
Publication date:
01/07/2025
Insufficient validation of the screen lock mechanism in Trust Wallet v8.45 allows physically proximate attackers to bypass the lock screen and view the wallet balance.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2025

CVE-2025-37099
Publication date:
01/07/2025
A remote code execution vulnerability exists in HPE Insight Remote Support (IRS) prior to v7.15.0.646.
Severity CVSS v4.0: Pending analysis
Last modification:
10/07/2025

CVE-2025-45080
Publication date:
01/07/2025
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
Severity CVSS v4.0: Pending analysis
Last modification:
10/07/2025

CVE-2025-34080
Publication date:
01/07/2025
The Contec Co.,Ltd. CONPROSYS HMI System (CHS) is vulnerable to Cross-Site Scripting (XSS) in the getqsetting.php functionality that could allow reflected execution of scripts in the browser on interaction.This issue affects CONPROSYS HMI System (CHS): before 3.7.7.
Severity CVSS v4.0: MEDIUM
Last modification:
04/11/2025

CVE-2025-34081
Publication date:
01/07/2025
The Contec Co.,Ltd. CONPROSYS HMI System (CHS) exposes a PHP phpinfo() debug page to unauthenticated users that may contain sensitive data useful for an attacker.This issue affects CONPROSYS HMI System (CHS): before 3.7.7.
Severity CVSS v4.0: MEDIUM
Last modification:
04/11/2025
Subscribe to Vulnerabilities