Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-68116
Publication date:
16/12/2025
FileRise is a self-hosted web file manager / WebDAV server. Versions prior to 2.7.1 are vulnerable to Stored Cross-Site Scripting (XSS) due to unsafe handling of browser-renderable user uploads when served through the sharing and download endpoints. An attacker who can get a crafted SVG (primary) or HTML (secondary) file stored in a FileRise instance can cause JavaScript execution when a victim opens a generated share link (and in some cases via the direct download endpoint). This impacts share links (`/api/file/share.php`) and direct file access / download path (`/api/file/download.php`), depending on browser/content-type behavior. Version 2.7.1 fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
16/12/2025

CVE-2025-68130
Publication date:
16/12/2025
tRPC allows users to build and consume fully typesafe APIs without schemas or code generation. Starting in version 10.27.0 and prior to versions 10.45.3 and 11.8.0, a A prototype pollution vulnerability exists in `@trpc/server`'s `formDataToObject` function, which is used by the Next.js App Router adapter. An attacker can pollute `Object.prototype` by submitting specially crafted FormData field names, potentially leading to authorization bypass, denial of service, or other security impacts. Note that this vulnerability is only present when using `experimental_caller` / `experimental_nextAppDirCaller`. Versions 10.45.3 and 11.8.0 fix the issue.
Severity CVSS v4.0: HIGH
Last modification:
16/12/2025

CVE-2025-59935
Publication date:
16/12/2025
GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.21, an unauthenticated user can store an XSS payload through the inventory endpoint. Users should upgrade to 10.0.21 to receive a patch.
Severity CVSS v4.0: Pending analysis
Last modification:
16/12/2025

CVE-2025-62862
Publication date:
16/12/2025
Ampere AmpereOne AC03 devices before 3.5.9.3, AmpereOne AC04 devices before 4.4.5.2, and AmpereOne M devices before 5.4.5.1 allow an incorrectly formed SMC call to UEFI-MM Boot Error Record Table driver that could result in (1) an out-of-bounds read which leaks Secure-EL0 information to a process running in Non-Secure state or (2) an out-of-bounds write which corrupts Secure or Non-Secure memory, limited to memory mapped to UEFI-MM Secure Partition by the Secure Partition Manager.
Severity CVSS v4.0: Pending analysis
Last modification:
16/12/2025

CVE-2025-63414
Publication date:
16/12/2025
A Path Traversal vulnerability in the Allsky WebUI version v2024.12.06_06 allows an unauthenticated remote attacker to achieve arbitrary command execution. By sending a crafted HTTP request to the /html/execute.php endpoint with a malicious payload in the id parameter, an attacker can execute arbitrary commands on the underlying operating system, leading to full remote code execution (RCE).
Severity CVSS v4.0: Pending analysis
Last modification:
16/12/2025

CVE-2025-50401
Publication date:
16/12/2025
Mercury D196G d196gv1-cn-up_2020-01-09_11.21.44 is vulnerable to Buffer Overflow in the function sub_404CAEDC via the parameter password.
Severity CVSS v4.0: Pending analysis
Last modification:
16/12/2025

CVE-2025-50398
Publication date:
16/12/2025
Mercury D196G d196gv1-cn-up_2020-01-09_11.21.44 is vulnerable to Buffer Overflow in the function sub_404CAEDC via the parameter fac_password.
Severity CVSS v4.0: Pending analysis
Last modification:
16/12/2025

CVE-2025-37164
Publication date:
16/12/2025
A remote code execution issue exists in HPE OneView.
Severity CVSS v4.0: Pending analysis
Last modification:
16/12/2025

CVE-2025-68315
Publication date:
16/12/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: fix to detect potential corrupted nid in free_nid_list<br /> <br /> As reported, on-disk footer.ino and footer.nid is the same and<br /> out-of-range, let&amp;#39;s add sanity check on f2fs_alloc_nid() to detect<br /> any potential corruption in free_nid_list.
Severity CVSS v4.0: Pending analysis
Last modification:
16/12/2025

CVE-2025-68316
Publication date:
16/12/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: ufs: core: Fix invalid probe error return value<br /> <br /> After DME Link Startup, the error return value is set to the MIPI UniPro<br /> GenericErrorCode which can be 0 (SUCCESS) or 1 (FAILURE). Upon failure<br /> during driver probe, the error code 1 is propagated back to the driver<br /> probe function which must return a negative value to indicate an error,<br /> but 1 is not negative, so the probe is considered to be successful even<br /> though it failed. Subsequently, removing the driver results in an oops<br /> because it is not in a valid state.<br /> <br /> This happens because none of the callers of ufshcd_init() expect a<br /> non-negative error code.<br /> <br /> Fix the return value and documentation to match actual usage.
Severity CVSS v4.0: Pending analysis
Last modification:
16/12/2025

CVE-2025-68317
Publication date:
16/12/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> io_uring/zctx: check chained notif contexts<br /> <br /> Send zc only links ubuf_info for requests coming from the same context.<br /> There are some ambiguous syz reports, so let&amp;#39;s check the assumption on<br /> notification completion.
Severity CVSS v4.0: Pending analysis
Last modification:
16/12/2025

CVE-2025-68318
Publication date:
16/12/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> clk: thead: th1520-ap: set all AXI clocks to CLK_IS_CRITICAL<br /> <br /> The AXI crossbar of TH1520 has no proper timeout handling, which means<br /> gating AXI clocks can easily lead to bus timeout and thus system hang.<br /> <br /> Set all AXI clock gates to CLK_IS_CRITICAL. All these clock gates are<br /> ungated by default on system reset.<br /> <br /> In addition, convert all current CLK_IGNORE_UNUSED usage to<br /> CLK_IS_CRITICAL to prevent unwanted clock gating.
Severity CVSS v4.0: Pending analysis
Last modification:
16/12/2025
Subscribe to Vulnerabilities