Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-58034
Publication date:
27/02/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> memory: tegra20-emc: fix an OF node reference bug in tegra_emc_find_node_by_ram_code()<br /> <br /> As of_find_node_by_name() release the reference of the argument device<br /> node, tegra_emc_find_node_by_ram_code() releases some device nodes while<br /> still in use, resulting in possible UAFs. According to the bindings and<br /> the in-tree DTS files, the "emc-tables" node is always device&amp;#39;s child<br /> node with the property "nvidia,use-ram-code", and the "lpddr2" node is a<br /> child of the "emc-tables" node. Thus utilize the<br /> for_each_child_of_node() macro and of_get_child_by_name() instead of<br /> of_find_node_by_name() to simplify the code.<br /> <br /> This bug was found by an experimental verification tool that I am<br /> developing.<br /> <br /> [krzysztof: applied v1, adjust the commit msg to incorporate v2 parts]
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2024-54957
Publication date:
27/02/2025
Nagios XI 2024R1.2.2 is vulnerable to an open redirect flaw on the Tools page, exploitable by users with read-only permissions. This vulnerability allows an attacker to craft a malicious link that redirects users to an arbitrary external URL without their consent.
Severity CVSS v4.0: Pending analysis
Last modification:
07/07/2025

CVE-2024-53408
Publication date:
27/02/2025
AVE System Web Client v2.1.131.13992 was discovered to contain a cross-site scripting (XSS) vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2024-53944
Publication date:
27/02/2025
An issue was discovered on Tuoshi/Dionlink LT15D 4G Wi-Fi devices through M7628NNxlSPv2xUI_v1.0.1802.10.08_P4 and LT21B devices through M7628xUSAxUIv2_v1.0.1481.15.02_P0. A unauthenticated remote attacker with network access can exploit a command injection vulnerability. The /goform/formJsonAjaxReq endpoint fails to sanitize shell metacharacters sent via JSON parameters, thus allowing attackers to execute arbitrary OS commands with root privileges.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-22624
Publication date:
27/02/2025
FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry and Carousel 2.4.29 was found to be vulnerable. The web application dynamically generates web content without validating the source of the potentially untrusted data in myapp/extensions/albums/admin/class-meta boxes.php.
Severity CVSS v4.0: MEDIUM
Last modification:
15/04/2026

CVE-2025-0767
Publication date:
27/02/2025
WP Activity Log 5.3.2 was found to be vulnerable. Unvalidated user input is used directly in an unserialize function in myapp/classes/Writers/class-csv-writer.php.
Severity CVSS v4.0: MEDIUM
Last modification:
21/05/2025

CVE-2025-27399
Publication date:
27/02/2025
Mastodon is a self-hosted, federated microblogging platform. In versions prior to 4.1.23, 4.2.16, and 4.3.4, when the visibility for domain blocks/reasons is set to "users" (localized English string: "To logged-in users"), users that are not yet approved can view the block reasons. Instance admins that do not want their domain blocks to be public are impacted. Versions 4.1.23, 4.2.16, and 4.3.4 fix the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
24/06/2025

CVE-2025-1745
Publication date:
27/02/2025
A vulnerability has been found in LinZhaoguan pb-cms 2.0 and classified as problematic. This vulnerability affects unknown code of the component Logout. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
03/10/2025

CVE-2025-1743
Publication date:
27/02/2025
A vulnerability, which was classified as critical, was found in zyx0814 Pichome 2.1.0. This affects an unknown part of the file /index.php?mod=textviewer. The manipulation of the argument src leads to path traversal. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
15/04/2026

CVE-2025-1742
Publication date:
27/02/2025
A vulnerability, which was classified as problematic, has been found in pihome-shc PiHome 2.0. Affected by this issue is some unknown functionality of the file /home.php. The manipulation of the argument page_name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: MEDIUM
Last modification:
21/10/2025

CVE-2025-27157
Publication date:
27/02/2025
Mastodon is a self-hosted, federated microblogging platform. Starting in version 4.2.0 and prior to versions 4.2.16 and 4.3.4, the rate limits are missing on `/auth/setup`. Without those rate limits, an attacker can craft requests that will send an email to an arbitrary addresses. Versions 4.2.16 and 4.3.4 fix the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
24/06/2025

CVE-2025-23687
Publication date:
27/02/2025
Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in simonhunter Woo Store Mode woo-store-mode allows Reflected XSS.This issue affects Woo Store Mode: from n/a through
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026
Subscribe to Vulnerabilities