Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-53351
Publication date:
21/03/2025
Insecure permissions in pipecd v0.49 allow attackers to gain access to the service account's token, leading to escalation of privileges.
Severity CVSS v4.0: Pending analysis
Last modification:
01/04/2025

CVE-2024-53349
Publication date:
21/03/2025
Insecure permissions in kuadrant v0.11.3 allow attackers to gain access to the service account's token, leading to escalation of privileges via the secretes component in the k8s cluster
Severity CVSS v4.0: Pending analysis
Last modification:
01/04/2025

CVE-2023-43029
Publication date:
21/03/2025
IBM Storage Virtualize vSphere Remote Plug-in 1.0 and 1.1 could allow a remote user to obtain sensitive credential information after deployment.
Severity CVSS v4.0: CRITICAL
Last modification:
17/08/2025

CVE-2024-53348
Publication date:
21/03/2025
LoxiLB v.0.9.7 and before is vulnerable to Incorrect Access Control which allows attackers to obtain sensitive information and escalate privileges.
Severity CVSS v4.0: Pending analysis
Last modification:
01/04/2025

CVE-2019-16151
Publication date:
21/03/2025
An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiOS 6.4.1 and below, 6.2.9 and below may allow a remote unauthenticated attacker to either redirect users to malicious websites via a crafted "Host" header or to execute JavaScript code in the victim&amp;#39;s browser context.<br /> This happens when the FortiGate has web filtering and category override enabled/configured.
Severity CVSS v4.0: Pending analysis
Last modification:
23/07/2025

CVE-2025-30168
Publication date:
21/03/2025
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 7.5.2 and 8.0.2, the 3rd party authentication handling of Parse Server allows the authentication credentials of some specific authentication providers to be used across multiple Parse Server apps. For example, if a user signed up using the same authentication provider in two unrelated Parse Server apps, the credentials stored by one app can be used to authenticate the same user in the other app. Note that this only affects Parse Server apps that specifically use an affected 3rd party authentication provider for user authentication, for example by setting the Parse Server option auth to configure a Parse Server authentication adapter. The fix of this vulnerability requires to upgrade Parse Server to a version that includes the bug fix, as well as upgrade the client app to send a secure payload, which is different from the previous insecure payload. This vulnerability is fixed in 7.5.2 and 8.0.2.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-30157
Publication date:
21/03/2025
Envoy is a cloud-native high-performance edge/middle/service proxy. Prior to 1.33.1, 1.32.4, 1.31.6, and 1.30.10, Envoy&amp;#39;s ext_proc HTTP filter is at risk of crashing if a local reply is sent to the external server due to the filter&amp;#39;s life time issue. A known situation is the failure of a websocket handshake will trigger a local reply leading to the crash of Envoy. This vulnerability is fixed in 1.33.1, 1.32.4, 1.31.6, and 1.30.10.
Severity CVSS v4.0: Pending analysis
Last modification:
01/04/2025

CVE-2025-2598
Publication date:
21/03/2025
When the AWS Cloud Development Kit (AWS CDK) Command Line Interface (AWS CDK CLI) is used with a credential plugin which returns an expiration property with the retrieved AWS credentials, the credentials are printed to the console output. To mitigate this issue, users should upgrade to version 2.178.2 or later and ensure any forked or derivative code is patched to incorporate the new fixes.
Severity CVSS v4.0: MEDIUM
Last modification:
14/10/2025

CVE-2025-24915
Publication date:
21/03/2025
When installing Nessus Agent to a non-default location on a Windows host, Nessus Agent versions prior to 10.8.3 did not enforce secure permissions for sub-directories.  This could allow for local privilege escalation if users had not secured the directories in the non-default installation location.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-27612
Publication date:
21/03/2025
libcontainer is a library for container control. Prior to libcontainer 0.5.3, while creating a tenant container, the tenant builder accepts a list of capabilities to be added in the spec of tenant container. The logic here adds the given capabilities to all capabilities of main container if present in spec, otherwise simply set provided capabilities as capabilities of the tenant container. However, setting inherited caps in any case for tenant container can lead to elevation of capabilities, similar to CVE-2022-29162. This does not affect youki binary itself. This is only applicable if you are using libcontainer directly and using the tenant builder.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-29640
Publication date:
21/03/2025
Phpgurukul Human Metapneumovirus (HMPV) – Testing Management System v1.0 is vulnerable to SQL Injection in /patient-report.php via the parameter searchdata..
Severity CVSS v4.0: Pending analysis
Last modification:
01/04/2025

CVE-2025-29641
Publication date:
21/03/2025
Phpgurukul Vehicle Record Management System v1.0 is vulnerable to SQL Injection in /index.php via the &amp;#39;searchinputdata&amp;#39; parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
01/04/2025
Subscribe to Vulnerabilities