Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-44877
Publication date:
02/05/2025
Tenda AC9 V15.03.06.42_multi was found to contain a command injection vulnerability in the formSetSambaConf function via the usbname parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
Severity CVSS v4.0: Pending analysis
Last modification:
27/05/2025

CVE-2025-3927
Publication date:
02/05/2025
Digigram's PYKO-OUT audio-over-IP (AoIP) web-server does not require a password by default, allowing any attacker with the target IP address to connect and compromise the device, potentially pivoting to connected network or hardware devices.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2025

CVE-2025-37797
Publication date:
02/05/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net_sched: hfsc: Fix a UAF vulnerability in class handling<br /> <br /> This patch fixes a Use-After-Free vulnerability in the HFSC qdisc class<br /> handling. The issue occurs due to a time-of-check/time-of-use condition<br /> in hfsc_change_class() when working with certain child qdiscs like netem<br /> or codel.<br /> <br /> The vulnerability works as follows:<br /> 1. hfsc_change_class() checks if a class has packets (q.qlen != 0)<br /> 2. It then calls qdisc_peek_len(), which for certain qdiscs (e.g.,<br /> codel, netem) might drop packets and empty the queue<br /> 3. The code continues assuming the queue is still non-empty, adding<br /> the class to vttree<br /> 4. This breaks HFSC scheduler assumptions that only non-empty classes<br /> are in vttree<br /> 5. Later, when the class is destroyed, this can lead to a Use-After-Free<br /> <br /> The fix adds a second queue length check after qdisc_peek_len() to verify<br /> the queue wasn&amp;#39;t emptied.
Severity CVSS v4.0: Pending analysis
Last modification:
06/11/2025

CVE-2025-37798
Publication date:
02/05/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> codel: remove sch-&gt;q.qlen check before qdisc_tree_reduce_backlog()<br /> <br /> After making all -&gt;qlen_notify() callbacks idempotent, now it is safe to<br /> remove the check of qlen!=0 from both fq_codel_dequeue() and<br /> codel_qdisc_dequeue().
Severity CVSS v4.0: Pending analysis
Last modification:
06/11/2025

CVE-2025-1883
Publication date:
02/05/2025
Out-Of-Bounds Write vulnerability exists in the OBJ file reading procedure in SOLIDWORKS eDrawings on Release SOLIDWORKS Desktop 2025. This vulnerability could allow an attacker to execute arbitrary code while opening a specially crafted OBJ file.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-1884
Publication date:
02/05/2025
Use-After-Free vulnerability exists in the SLDPRT file reading procedure in SOLIDWORKS eDrawings on Release SOLIDWORKS Desktop 2025. This vulnerability could allow an attacker to execute arbitrary code while opening a specially crafted SLDPRT file.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-4204
Publication date:
02/05/2025
The Ultimate Auction Pro plugin for WordPress is vulnerable to SQL Injection via the ‘auction_id’ parameter in all versions up to, and including, 1.5.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity CVSS v4.0: Pending analysis
Last modification:
04/06/2025

CVE-2025-2605
Publication date:
02/05/2025
Improper Neutralization of Special Elements used in an OS Command (&amp;#39;OS Command Injection&amp;#39;) vulnerability in Honeywell MB-Secure allows Privilege Abuse. This issue affects MB-Secure: from V11.04 before V12.53 and MB-Secure PRO from V01.06 before V03.09.Honeywell also recommends updating to the most recent version of this product.
Severity CVSS v4.0: Pending analysis
Last modification:
17/05/2025

CVE-2025-2488
Publication date:
02/05/2025
Improper Neutralization of Input During Web Page Generation (XSS or &amp;#39;Cross-site Scripting&amp;#39;) vulnerability in Profelis Informatics SambaBox allows Cross-Site Scripting (XSS).This issue affects SambaBox: before 5.1.
Severity CVSS v4.0: Pending analysis
Last modification:
12/09/2025

CVE-2025-2421
Publication date:
02/05/2025
Improper Control of Generation of Code (&amp;#39;Code Injection&amp;#39;) vulnerability in Profelis Informatics SambaBox allows Code Injection.This issue affects SambaBox: before 5.1.
Severity CVSS v4.0: Pending analysis
Last modification:
12/09/2025

CVE-2025-1301
Publication date:
02/05/2025
Improper Neutralization of Input During Web Page Generation (XSS or &amp;#39;Cross-site Scripting&amp;#39;) vulnerability in Yordam Informatics Library Automation System allows Reflected XSS.This issue affects Library Automation System: before 21.6.
Severity CVSS v4.0: Pending analysis
Last modification:
12/09/2025

CVE-2025-0427
Publication date:
02/05/2025
Use After Free vulnerability in Arm Ltd Bifrost GPU Kernel Driver, Arm Ltd Valhall GPU Kernel Driver, Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver allows a local non-privileged user process to perform valid GPU processing operations to gain access to already freed memory.This issue affects Bifrost GPU Kernel Driver: from r8p0 through r49p3, from r50p0 through r51p0; Valhall GPU Kernel Driver: from r19p0 through r49p3, from r50p0 through r53p0; Arm 5th Gen GPU Architecture Kernel Driver: from r41p0 through r49p3, from r50p0 through r53p0.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2025
Subscribe to Vulnerabilities