Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-57758
Publication date:
28/08/2025
Contao is an Open Source CMS. In versions starting from 5.0.0 and prior to 5.3.38 and 5.6.1, the table access voter in the back end doesn't check if a user is allowed to access the corresponding module. This issue has been patched in versions 5.3.38 and 5.6.1. A workaround involves not relying solely on the voter and additionally to check USER_CAN_ACCESS_MODULE.
Severity CVSS v4.0: Pending analysis
Last modification:
02/09/2025

CVE-2025-57759
Publication date:
28/08/2025
Contao is an Open Source CMS. In versions starting from 5.3.0 and prior to 5.3.38 and 5.6.1, under certain conditions, back end users may be able to edit fields of pages and articles without having the necessary permissions. This issue has been patched in versions 5.3.38 and 5.6.1. There are no workarounds.
Severity CVSS v4.0: Pending analysis
Last modification:
02/09/2025

CVE-2025-57819
Publication date:
28/08/2025
FreePBX is an open-source web-based graphical user interface. FreePBX 15, 16, and 17 endpoints are vulnerable due to insufficiently sanitized user-supplied data allowing unauthenticated access to FreePBX Administrator leading to arbitrary database manipulation and remote code execution. This issue has been patched in endpoint versions 15.0.66, 16.0.89, and 17.0.3.
Severity CVSS v4.0: CRITICAL
Last modification:
24/10/2025

CVE-2025-58334
Publication date:
28/08/2025
In JetBrains IDE Services before 2025.5.0.1086, <br /> 2025.4.2.2164 users without appropriate permissions could assign high-privileged role for themselves
Severity CVSS v4.0: Pending analysis
Last modification:
14/10/2025

CVE-2025-31972
Publication date:
28/08/2025
HCL BigFix SM is affected by a Sensitive Information Exposure vulnerability where internal connections do not use TLS encryption which could allow an attacker unauthorized access to sensitive data transmitted between internal components.
Severity CVSS v4.0: Pending analysis
Last modification:
29/10/2025

CVE-2025-31977
Publication date:
28/08/2025
HCL BigFix SM is affected by cryptographic weakness due to weak or outdated encryption algorithms.  An attacker with network access could exploit this weakness to decrypt or manipulate encrypted communications under certain conditions.
Severity CVSS v4.0: Pending analysis
Last modification:
29/10/2025

CVE-2025-31979
Publication date:
28/08/2025
A File Upload Validation Bypass vulnerability has been identified in the HCL BigFix SM, where the application fails to properly enforce file type restrictions during the upload process. An attacker may exploit this flaw to upload malicious or unauthorized files, such as scripts, executables, or web shells, by bypassing client-side or server-side validation mechanisms.
Severity CVSS v4.0: Pending analysis
Last modification:
29/08/2025

CVE-2025-51643
Publication date:
28/08/2025
Meitrack T366G-L GPS Tracker devices contain an SPI flash chip (Winbond 25Q64JVSIQ) that is accessible without authentication or tamper protection. An attacker with physical access to the device can use a standard SPI programmer to extract the firmware using flashrom. This results in exposure of sensitive configuration data such as APN credentials, backend server information, and network parameter
Severity CVSS v4.0: Pending analysis
Last modification:
02/10/2025

CVE-2025-57767
Publication date:
28/08/2025
Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.15.2, 21.10.2, and 22.5.2, if a SIP request is received with an Authorization header that contains a realm that wasn&amp;#39;t in a previous 401 response&amp;#39;s WWW-Authenticate header, or an Authorization header with an incorrect realm was received without a previous 401 response being sent, the get_authorization_header() function in res_pjsip_authenticator_digest will return a NULL. This wasn&amp;#39;t being checked before attempting to get the digest algorithm from the header which causes a SEGV. This issue has been patched in versions 20.15.2, 21.10.2, and 22.5.2. There are no workarounds.
Severity CVSS v4.0: Pending analysis
Last modification:
20/10/2025

CVE-2025-25010
Publication date:
28/08/2025
Incorrect authorization in Kibana can lead to privilege escalation via the built-in reporting_user role which incorrectly has the ability to access all Kibana Spaces.
Severity CVSS v4.0: Pending analysis
Last modification:
01/10/2025

CVE-2025-29364
Publication date:
28/08/2025
spimsimulator spim v9.1.24 and before is vulnerable to Buffer Overflow in the READ_SYSCALL and WRITE_SYSCALL system calls. The application verifies the legitimacy of the starting and ending addresses for memory read/write operations. By configuring the starting and ending addresses for memory read/write to point to distinct memory segments within the virtual machine, it is possible to circumvent these checks.
Severity CVSS v4.0: Pending analysis
Last modification:
09/09/2025

CVE-2024-13986
Publication date:
28/08/2025
Nagios XI
Severity CVSS v4.0: HIGH
Last modification:
04/11/2025
Subscribe to Vulnerabilities