Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-38090
Publication date:
30/06/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drivers/rapidio/rio_cm.c: prevent possible heap overwrite<br /> <br /> In<br /> <br /> riocm_cdev_ioctl(RIO_CM_CHAN_SEND)<br /> -&gt; cm_chan_msg_send()<br /> -&gt; riocm_ch_send()<br /> <br /> cm_chan_msg_send() checks that userspace didn&amp;#39;t send too much data but<br /> riocm_ch_send() failed to check that userspace sent sufficient data. The<br /> result is that riocm_ch_send() can write to fields in the rio_ch_chan_hdr<br /> which were outside the bounds of the space which cm_chan_msg_send()<br /> allocated.<br /> <br /> Address this by teaching riocm_ch_send() to check that the entire<br /> rio_ch_chan_hdr was copied in from userspace.
Severity CVSS v4.0: Pending analysis
Last modification:
17/12/2025

CVE-2025-6897
Publication date:
30/06/2025
A vulnerability classified as critical was found in D-Link DI-7300G+ 19.12.25A1. Affected by this vulnerability is an unknown functionality of the file httpd_debug.asp. The manipulation of the argument Time leads to os command injection. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: LOW
Last modification:
29/04/2026

CVE-2025-38087
Publication date:
30/06/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/sched: fix use-after-free in taprio_dev_notifier<br /> <br /> Since taprio’s taprio_dev_notifier() isn’t protected by an<br /> RCU read-side critical section, a race with advance_sched()<br /> can lead to a use-after-free.<br /> <br /> Adding rcu_read_lock() inside taprio_dev_notifier() prevents this.
Severity CVSS v4.0: Pending analysis
Last modification:
19/11/2025

CVE-2025-6891
Publication date:
30/06/2025
A vulnerability classified as critical has been found in code-projects Inventory Management System 1.0. Affected is an unknown function of the file /php_action/createUser.php. The manipulation of the argument Username leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
29/04/2026

CVE-2025-6896
Publication date:
30/06/2025
A vulnerability classified as critical has been found in D-Link DI-7300G+ 19.12.25A1. Affected is an unknown function of the file wget_test.asp. The manipulation of the argument url leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: LOW
Last modification:
29/04/2026

CVE-2025-6890
Publication date:
30/06/2025
A vulnerability was found in code-projects Movie Ticketing System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /ticketConfirmation.php. The manipulation of the argument Date leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: LOW
Last modification:
29/04/2026

CVE-2025-5730
Publication date:
30/06/2025
The Contact Form Plugin WordPress plugin before 1.1.29 does not sanitise and escape some of its settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks.
Severity CVSS v4.0: Pending analysis
Last modification:
01/07/2025

CVE-2025-6889
Publication date:
30/06/2025
A vulnerability was found in code-projects Movie Ticketing System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /logIn.php. The manipulation of the argument postName leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
29/04/2026

CVE-2025-3745
Publication date:
30/06/2025
The WP Lightbox 2 WordPress plugin before 3.0.6.8 does not correctly sanitize the value of the title attribute of links before using them, which may allow malicious users to conduct XSS attacks.
Severity CVSS v4.0: Pending analysis
Last modification:
01/07/2025

CVE-2025-6887
Publication date:
30/06/2025
A vulnerability was found in Tenda AC5 15.03.06.47 and classified as critical. Affected by this issue is some unknown functionality of the file /goform/SetSysTimeCfg. The manipulation of the argument time/timeZone leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: HIGH
Last modification:
01/07/2025

CVE-2025-6888
Publication date:
30/06/2025
A vulnerability was found in PHPGurukul Teachers Record Management System 2.1. It has been classified as critical. This affects an unknown part of the file /admin/changeimage.php. The manipulation of the argument tid leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
29/04/2026

CVE-2025-6886
Publication date:
30/06/2025
A vulnerability has been found in Tenda AC5 15.03.06.47 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /goform/openSchedWifi. The manipulation of the argument schedStartTime/schedEndTime leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: HIGH
Last modification:
01/07/2025
Subscribe to Vulnerabilities