Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-10071
Publication date:
07/09/2025
A vulnerability has been found in Portabilis i-Educar up to 2.10. This vulnerability affects unknown code of the file /cancelar-enturmacao-em-lote/. Such manipulation leads to improper access controls. The attack may be performed from remote. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
09/09/2025

CVE-2025-10072
Publication date:
07/09/2025
A vulnerability was found in Portabilis i-Educar up to 2.10. This issue affects some unknown processing of the file /matricula/[ID_STUDENT]/enturmar/. Performing manipulation results in improper access controls. It is possible to initiate the attack remotely. The exploit has been made public and could be used.
Severity CVSS v4.0: MEDIUM
Last modification:
09/09/2025

CVE-2025-10070
Publication date:
07/09/2025
A flaw has been found in Portabilis i-Educar up to 2.10. This affects an unknown part of the file /enturmacao-em-lote/. This manipulation causes improper access controls. The attack is possible to be carried out remotely. The exploit has been published and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
09/09/2025

CVE-2025-48042
Publication date:
07/09/2025
Incorrect Authorization vulnerability in ash-project ash allows Exploiting Incorrectly Configured Access Control Security Levels. This vulnerability is associated with program files lib/ash/actions/create/bulk.ex, lib/ash/actions/destroy/bulk.ex, lib/ash/actions/update/bulk.ex and program routines &amp;#39;Elixir.Ash.Actions.Create.Bulk&amp;#39;:run/5, &amp;#39;Elixir.Ash.Actions.Destroy.Bulk&amp;#39;:run/6, &amp;#39;Elixir.Ash.Actions.Update.Bulk:run&amp;#39;/6.<br /> <br /> This issue affects ash: from pkg:hex/ash before pkg:hex/ash@3.5.39, before 3.5.39, before 5d1b6a5d00771fd468a509778637527b5218be9a.
Severity CVSS v4.0: HIGH
Last modification:
08/09/2025

CVE-2025-39734
Publication date:
07/09/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Revert "fs/ntfs3: Replace inode_trylock with inode_lock"<br /> <br /> This reverts commit 69505fe98f198ee813898cbcaf6770949636430b.<br /> <br /> Initially, conditional lock acquisition was removed to fix an xfstest bug<br /> that was observed during internal testing. The deadlock reported by syzbot<br /> is resolved by reintroducing conditional acquisition. The xfstest bug no<br /> longer occurs on kernel version 6.16-rc1 during internal testing. I<br /> assume that changes in other modules may have contributed to this.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2025-39733
Publication date:
07/09/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> team: replace team lock with rtnl lock<br /> <br /> syszbot reports various ordering issues for lower instance locks and<br /> team lock. Switch to using rtnl lock for protecting team device,<br /> similar to bonding. Based on the patch by Tetsuo Handa.
Severity CVSS v4.0: Pending analysis
Last modification:
25/11/2025

CVE-2025-39730
Publication date:
07/09/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> NFS: Fix filehandle bounds checking in nfs_fh_to_dentry()<br /> <br /> The function needs to check the minimal filehandle length before it can<br /> access the embedded filehandle.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2025-39731
Publication date:
07/09/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: vm_unmap_ram() may be called from an invalid context<br /> <br /> When testing F2FS with xfstests using UFS backed virtual disks the<br /> kernel complains sometimes that f2fs_release_decomp_mem() calls<br /> vm_unmap_ram() from an invalid context. Example trace from<br /> f2fs/007 test:<br /> <br /> f2fs/007 5s ... [12:59:38][ 8.902525] run fstests f2fs/007<br /> [ 11.468026] BUG: sleeping function called from invalid context at mm/vmalloc.c:2978<br /> [ 11.471849] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 68, name: irq/22-ufshcd<br /> [ 11.475357] preempt_count: 1, expected: 0<br /> [ 11.476970] RCU nest depth: 0, expected: 0<br /> [ 11.478531] CPU: 0 UID: 0 PID: 68 Comm: irq/22-ufshcd Tainted: G W 6.16.0-rc5-xfstests-ufs-g40f92e79b0aa #9 PREEMPT(none)<br /> [ 11.478535] Tainted: [W]=WARN<br /> [ 11.478536] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014<br /> [ 11.478537] Call Trace:<br /> [ 11.478543] <br /> [ 11.478545] dump_stack_lvl+0x4e/0x70<br /> [ 11.478554] __might_resched.cold+0xaf/0xbe<br /> [ 11.478557] vm_unmap_ram+0x21/0xb0<br /> [ 11.478560] f2fs_release_decomp_mem+0x59/0x80<br /> [ 11.478563] f2fs_free_dic+0x18/0x1a0<br /> [ 11.478565] f2fs_finish_read_bio+0xd7/0x290<br /> [ 11.478570] blk_update_request+0xec/0x3b0<br /> [ 11.478574] ? sbitmap_queue_clear+0x3b/0x60<br /> [ 11.478576] scsi_end_request+0x27/0x1a0<br /> [ 11.478582] scsi_io_completion+0x40/0x300<br /> [ 11.478583] ufshcd_mcq_poll_cqe_lock+0xa3/0xe0<br /> [ 11.478588] ufshcd_sl_intr+0x194/0x1f0<br /> [ 11.478592] ufshcd_threaded_intr+0x68/0xb0<br /> [ 11.478594] ? __pfx_irq_thread_fn+0x10/0x10<br /> [ 11.478599] irq_thread_fn+0x20/0x60<br /> [ 11.478602] ? __pfx_irq_thread_fn+0x10/0x10<br /> [ 11.478603] irq_thread+0xb9/0x180<br /> [ 11.478605] ? __pfx_irq_thread_dtor+0x10/0x10<br /> [ 11.478607] ? __pfx_irq_thread+0x10/0x10<br /> [ 11.478609] kthread+0x10a/0x230<br /> [ 11.478614] ? __pfx_kthread+0x10/0x10<br /> [ 11.478615] ret_from_fork+0x7e/0xd0<br /> [ 11.478619] ? __pfx_kthread+0x10/0x10<br /> [ 11.478621] ret_from_fork_asm+0x1a/0x30<br /> [ 11.478623] <br /> <br /> This patch modifies in_task() check inside f2fs_read_end_io() to also<br /> check if interrupts are disabled. This ensures that pages are unmapped<br /> asynchronously in an interrupt handler.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2025-39732
Publication date:
07/09/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: ath11k: fix sleeping-in-atomic in ath11k_mac_op_set_bitrate_mask()<br /> <br /> ath11k_mac_disable_peer_fixed_rate() is passed as the iterator to<br /> ieee80211_iterate_stations_atomic(). Note in this case the iterator is<br /> required to be atomic, however ath11k_mac_disable_peer_fixed_rate() does<br /> not follow it as it might sleep. Consequently below warning is seen:<br /> <br /> BUG: sleeping function called from invalid context at wmi.c:304<br /> Call Trace:<br /> <br /> dump_stack_lvl<br /> __might_resched.cold<br /> ath11k_wmi_cmd_send<br /> ath11k_wmi_set_peer_param<br /> ath11k_mac_disable_peer_fixed_rate<br /> ieee80211_iterate_stations_atomic<br /> ath11k_mac_op_set_bitrate_mask.cold<br /> <br /> Change to ieee80211_iterate_stations_mtx() to fix this issue.<br /> <br /> Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30
Severity CVSS v4.0: Pending analysis
Last modification:
25/11/2025

CVE-2025-39729
Publication date:
07/09/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: ccp - Fix dereferencing uninitialized error pointer<br /> <br /> Fix below smatch warnings:<br /> drivers/crypto/ccp/sev-dev.c:1312 __sev_platform_init_locked()<br /> error: we previously assumed &amp;#39;error&amp;#39; could be null
Severity CVSS v4.0: Pending analysis
Last modification:
25/11/2025

CVE-2025-39727
Publication date:
07/09/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm: swap: fix potential buffer overflow in setup_clusters()<br /> <br /> In setup_swap_map(), we only ensure badpages are in range (0, last_page]. <br /> As maxpages might be = maxpages.<br /> <br /> Only call inc_cluster_info_page() for badpage which is
Severity CVSS v4.0: Pending analysis
Last modification:
25/11/2025

CVE-2025-10068
Publication date:
07/09/2025
A flaw has been found in itsourcecode Online Discussion Forum 1.0. This affects an unknown function of the file /admin/admin_forum/add_views.php. Executing manipulation of the argument ID can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
09/09/2025
Subscribe to Vulnerabilities