Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-44004
Publication date:
11/08/2025
Mattermost Confluence Plugin version
Severity CVSS v4.0: Pending analysis
Last modification:
25/09/2025

CVE-2025-48731
Publication date:
11/08/2025
Mattermost Confluence Plugin version
Severity CVSS v4.0: Pending analysis
Last modification:
25/09/2025

CVE-2025-25229
Publication date:
11/08/2025
Omnissa Workspace ONE UEM contains a Server-Side Request Forgery (SSRF) Vulnerability. A malicious actor with user privileges may be able to access restricted internal system information, potentially enabling enumeration of internal network resources.
Severity CVSS v4.0: Pending analysis
Last modification:
12/08/2025

CVE-2025-53187
Publication date:
11/08/2025
Due to an issue in configuration, code that was intended for debugging purposes was included in the market release of the ASPECT FW allowing an attacker to bypass authentication. This vulnerability may allow an attacker to change the system time, access files, and make function calls without prior authentication. This issue affects all versions of ASPECT prior to 3.08.04-s01
Severity CVSS v4.0: CRITICAL
Last modification:
04/09/2025

CVE-2025-54063
Publication date:
11/08/2025
Cherry Studio is a desktop client that supports for multiple LLM providers. From versions 1.4.8 to 1.5.0, there is a one-click remote code execution vulnerability through the custom URL handling. An attacker can exploit this by hosting a malicious website or embedding a specially crafted URL on any website. If a victim clicks the exploit link in their browser, the app’s custom URL handler is triggered, leading to remote code execution on the victim’s machine. This issue has been patched in version 1.5.1.
Severity CVSS v4.0: Pending analysis
Last modification:
11/08/2025

CVE-2025-25231
Publication date:
11/08/2025
Omnissa Workspace ONE UEM contains a Secondary Context Path Traversal Vulnerability. A malicious actor may be able to gain access to sensitive information by sending crafted GET requests (read-only) to restricted API endpoints.
Severity CVSS v4.0: Pending analysis
Last modification:
11/08/2025

CVE-2025-8866
Publication date:
11/08/2025
YugabyteDB Anywhere web server does not properly enforce authentication for the /metamaster/universe API endpoint. An unauthenticated attacker could exploit this flaw to obtain server networking configuration details, including private and public IP addresses and DNS records.
Severity CVSS v4.0: MEDIUM
Last modification:
11/08/2025

CVE-2025-45146
Publication date:
11/08/2025
ModelCache for LLM through v0.2.0 was discovered to contain an deserialization vulnerability via the component /manager/data_manager.py. This vulnerability allows attackers to execute arbitrary code via supplying crafted data.
Severity CVSS v4.0: Pending analysis
Last modification:
17/10/2025

CVE-2025-38499
Publication date:
11/08/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns<br /> <br /> What we want is to verify there is that clone won&amp;#39;t expose something<br /> hidden by a mount we wouldn&amp;#39;t be able to undo. "Wouldn&amp;#39;t be able to undo"<br /> may be a result of MNT_LOCKED on a child, but it may also come from<br /> lacking admin rights in the userns of the namespace mount belongs to.<br /> <br /> clone_private_mnt() checks the former, but not the latter.<br /> <br /> There&amp;#39;s a number of rather confusing CAP_SYS_ADMIN checks in various<br /> userns during the mount, especially with the new mount API; they serve<br /> different purposes and in case of clone_private_mnt() they usually,<br /> but not always end up covering the missing check mentioned above.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2025-8865
Publication date:
11/08/2025
The YugabyteDB tablet server contains a flaw in its YCQL query handling that can trigger a null pointer dereference when processing certain malformed inputs. An authenticated attacker could exploit this issue to crash the YCQL tablet server, resulting in a denial of service.
Severity CVSS v4.0: MEDIUM
Last modification:
11/08/2025

CVE-2025-8859
Publication date:
11/08/2025
A vulnerability was identified in code-projects eBlog Site 1.0. Affected by this vulnerability is an unknown functionality of the file /native/admin/save-slider.php of the component File Upload Module. The manipulation leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
23/10/2025

CVE-2012-10037
Publication date:
11/08/2025
PhpTax version 0.8 contains a remote code execution vulnerability in drawimage.php. The pfilez GET parameter is unsafely passed to the exec() function without sanitization. A remote attacker can inject arbitrary shell commands, leading to code execution under the web server&amp;#39;s context. No authentication is required.
Severity CVSS v4.0: CRITICAL
Last modification:
11/08/2025
Subscribe to Vulnerabilities