Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-1163
Publication date:
11/02/2025
A vulnerability classified as critical was found in code-projects Vehicle Parking Management System 1.0. This vulnerability affects the function login of the component Authentication. The manipulation of the argument username leads to stack-based buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
10/04/2025

CVE-2025-1164
Publication date:
11/02/2025
A vulnerability, which was classified as problematic, has been found in code-projects Police FIR Record Management System 1.0. This issue affects some unknown processing of the component Add Record Handler. The manipulation leads to stack-based buffer overflow. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
11/04/2025

CVE-2025-25194
Publication date:
10/02/2025
Lemmy, a link aggregator and forum for the fediverse, is vulnerable to server-side request forgery via a dependency on activitypub_federation, a framework for ActivityPub federation in Rust. This vulnerability, which is present in versions 0.6.2 and prior of activitypub_federation and versions 0.19.8 and prior of Lemmy, allows a user to bypass any predefined hardcoded URL path or security anti-Localhost mechanism and perform an arbitrary GET request to any Host, Port and URL using a Webfinger Request. As of time of publication, a fix has not been made available.
Severity CVSS v4.0: Pending analysis
Last modification:
10/02/2025

CVE-2025-1160
Publication date:
10/02/2025
A vulnerability was found in SourceCodester Employee Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file index.php. The manipulation of the argument username/password leads to use of default credentials. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
03/03/2025

CVE-2025-1162
Publication date:
10/02/2025
A vulnerability classified as critical has been found in code-projects Job Recruitment 1.0. This affects an unknown part of the file /\_parse/load\_user-profile.php. The manipulation of the argument userhash leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
28/05/2025

CVE-2025-24970
Publication date:
10/02/2025
Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash. Version 4.1.118.Final contains a patch. As workaround its possible to either disable the usage of the native SSLEngine or change the code manually.
Severity CVSS v4.0: Pending analysis
Last modification:
05/09/2025

CVE-2025-25189
Publication date:
10/02/2025
The ZOO-Project is an open source processing platform. A reflected Cross-Site Scripting vulnerability exists in the ZOO-Project Web Processing Service (WPS) publish.py CGI script prior to commit 7a5ae1a. The script reflects user input from the `jobid` parameter in its HTTP response without proper HTML encoding or sanitization. When a victim visits a specially crafted URL pointing to this endpoint, arbitrary JavaScript code can be executed in their browser context. The vulnerability occurs because the CGI script directly outputs the query string parameters into the HTML response without escaping HTML special characters. An attacker can inject malicious JavaScript code through the `jobid` parameter which will be executed when rendered by the victim's browser. Commit 7a5ae1a contains a fix for the issue.
Severity CVSS v4.0: MEDIUM
Last modification:
11/02/2025

CVE-2025-25190
Publication date:
10/02/2025
The ZOO-Project is an open source processing platform. The ZOO-Project Web Processing Service (WPS) Server contains a Cross-Site Scripting (XSS) vulnerability in its EchoProcess service prior to commit 7a5ae1a. The vulnerability exists because the EchoProcess service directly reflects user input in its output without proper sanitization when handling complex inputs.The service accepts various input formats including XML, JSON, and SVG, and returns the content based on the requested MIME type. When processing SVG content and returning it with the image/svg+xml MIME type, the server fails to sanitize potentially malicious JavaScript in attributes like onload, allowing arbitrary JavaScript execution in the victim's browser context. This vulnerability is particularly dangerous because it exists in a service specifically designed to echo back user input, and the lack of proper sanitization in combination with SVG handling creates a reliable XSS vector. Commit 7a5ae1a contains a fix for the issue.
Severity CVSS v4.0: MEDIUM
Last modification:
11/02/2025

CVE-2025-25193
Publication date:
10/02/2025
Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crash. A similar issue was previously reported as CVE-2024-47535. This issue was fixed, but the fix was incomplete in that null-bytes were not counted against the input limit. Commit d1fbda62d3a47835d3fb35db8bd42ecc205a5386 contains an updated fix.
Severity CVSS v4.0: Pending analysis
Last modification:
11/06/2025

CVE-2025-1158
Publication date:
10/02/2025
A vulnerability was found in ESAFENET CDG 5.6.3.154.205_20250114. It has been classified as critical. Affected is an unknown function of the file addPolicyToSafetyGroup.jsp. The manipulation of the argument safetyGroupId leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: MEDIUM
Last modification:
10/02/2025

CVE-2025-1159
Publication date:
10/02/2025
A vulnerability was found in CampCodes School Management Software 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /academic-calendar. The manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
28/03/2025

CVE-2025-1156
Publication date:
10/02/2025
A vulnerability has been found in Pix Software Vivaz 6.0.10 and classified as critical. This vulnerability affects unknown code of the file /servlet?act=login. The manipulation of the argument usuario leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: MEDIUM
Last modification:
10/02/2025
Subscribe to Vulnerabilities