Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-53038
Publication date:
02/05/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: lpfc: Check kzalloc() in lpfc_sli4_cgn_params_read()<br /> <br /> If kzalloc() fails in lpfc_sli4_cgn_params_read(), then we rely on<br /> lpfc_read_object()&amp;#39;s routine to NULL check pdata.<br /> <br /> Currently, an early return error is thrown from lpfc_read_object() to<br /> protect us from NULL ptr dereference, but the errno code is -ENODEV.<br /> <br /> Change the errno code to a more appropriate -ENOMEM.
Severity CVSS v4.0: Pending analysis
Last modification:
05/05/2025

CVE-2022-49933
Publication date:
02/05/2025
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Severity CVSS v4.0: Pending analysis
Last modification:
20/05/2025

CVE-2025-4166
Publication date:
02/05/2025
Vault Community and Vault Enterprise Key/Value (kv) Version 2 plugin may unintentionally expose sensitive information in server and audit logs when users submit malformed payloads during secret creation or update operations via the Vault REST API. This vulnerability, identified as CVE-2025-4166, is fixed in Vault Community 1.19.3 and Vault Enterprise 1.19.3, 1.18.9, 1.17.16, 1.16.20.
Severity CVSS v4.0: Pending analysis
Last modification:
05/05/2025

CVE-2025-44872
Publication date:
02/05/2025
Tenda AC9 V15.03.06.42_multi was found to contain a command injection vulnerability in the formsetUsbUnload function via the deviceName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
Severity CVSS v4.0: Pending analysis
Last modification:
27/05/2025

CVE-2025-44877
Publication date:
02/05/2025
Tenda AC9 V15.03.06.42_multi was found to contain a command injection vulnerability in the formSetSambaConf function via the usbname parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
Severity CVSS v4.0: Pending analysis
Last modification:
27/05/2025

CVE-2025-44868
Publication date:
02/05/2025
Wavlink WL-WN530H4 20220801 was found to contain a command injection vulnerability in the ping_test function of the adm.cgi via the pingIp parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
Severity CVSS v4.0: Pending analysis
Last modification:
13/06/2025

CVE-2025-3927
Publication date:
02/05/2025
Digigram&amp;#39;s PYKO-OUT audio-over-IP (AoIP) web-server does not require a password by default, allowing any attacker with the target IP address to connect and compromise the device, potentially pivoting to connected network or hardware devices.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2025

CVE-2025-1883
Publication date:
02/05/2025
Out-Of-Bounds Write vulnerability exists in the OBJ file reading procedure in SOLIDWORKS eDrawings on Release SOLIDWORKS Desktop 2025. This vulnerability could allow an attacker to execute arbitrary code while opening a specially crafted OBJ file.
Severity CVSS v4.0: Pending analysis
Last modification:
05/05/2025

CVE-2025-1884
Publication date:
02/05/2025
Use-After-Free vulnerability exists in the SLDPRT file reading procedure in SOLIDWORKS eDrawings on Release SOLIDWORKS Desktop 2025. This vulnerability could allow an attacker to execute arbitrary code while opening a specially crafted SLDPRT file.
Severity CVSS v4.0: Pending analysis
Last modification:
05/05/2025

CVE-2025-37797
Publication date:
02/05/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net_sched: hfsc: Fix a UAF vulnerability in class handling<br /> <br /> This patch fixes a Use-After-Free vulnerability in the HFSC qdisc class<br /> handling. The issue occurs due to a time-of-check/time-of-use condition<br /> in hfsc_change_class() when working with certain child qdiscs like netem<br /> or codel.<br /> <br /> The vulnerability works as follows:<br /> 1. hfsc_change_class() checks if a class has packets (q.qlen != 0)<br /> 2. It then calls qdisc_peek_len(), which for certain qdiscs (e.g.,<br /> codel, netem) might drop packets and empty the queue<br /> 3. The code continues assuming the queue is still non-empty, adding<br /> the class to vttree<br /> 4. This breaks HFSC scheduler assumptions that only non-empty classes<br /> are in vttree<br /> 5. Later, when the class is destroyed, this can lead to a Use-After-Free<br /> <br /> The fix adds a second queue length check after qdisc_peek_len() to verify<br /> the queue wasn&amp;#39;t emptied.
Severity CVSS v4.0: Pending analysis
Last modification:
05/05/2025

CVE-2025-37798
Publication date:
02/05/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> codel: remove sch-&gt;q.qlen check before qdisc_tree_reduce_backlog()<br /> <br /> After making all -&gt;qlen_notify() callbacks idempotent, now it is safe to<br /> remove the check of qlen!=0 from both fq_codel_dequeue() and<br /> codel_qdisc_dequeue().
Severity CVSS v4.0: Pending analysis
Last modification:
05/05/2025

CVE-2025-4204
Publication date:
02/05/2025
The Ultimate Auction Pro plugin for WordPress is vulnerable to SQL Injection via the ‘auction_id’ parameter in all versions up to, and including, 1.5.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity CVSS v4.0: Pending analysis
Last modification:
04/06/2025
Subscribe to Vulnerabilities