Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-65503
Publication date:
24/11/2025
Use after free in endpoint destructors in Redboltz async_mqtt 10.2.5 allows local users to cause a denial of service via triggering SSL initialization failure that results in incorrect destruction order between io_context and endpoint objects.
Severity CVSS v4.0: Pending analysis
Last modification:
25/11/2025

CVE-2025-65998
Publication date:
24/11/2025
Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default option.<br /> <br /> When AES is configured, the default key value, hard-coded in the source code, is always used. This allows a malicious attacker, once obtained access to the internal database content, to reconstruct the original cleartext password values.<br /> This is not affecting encrypted plain attributes, whose values are also stored using AES encryption.<br /> <br /> Users are recommended to upgrade to version 3.0.15 / 4.0.3, which fix this issue.
Severity CVSS v4.0: Pending analysis
Last modification:
26/11/2025

CVE-2025-65495
Publication date:
24/11/2025
Integer signedness error in tls_verify_call_back() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted TLS certificate that causes i2d_X509() to return -1 and be misused as a malloc() size parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
25/11/2025

CVE-2025-65496
Publication date:
24/11/2025
NULL pointer dereference in coap_dtls_generate_cookie() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted DTLS handshake that triggers SSL_get_SSL_CTX() to return NULL.
Severity CVSS v4.0: Pending analysis
Last modification:
25/11/2025

CVE-2025-65497
Publication date:
24/11/2025
NULL pointer dereference in coap_dtls_generate_cookie() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted DTLS handshake that triggers SSL_get_SSL_CTX() to return NULL.
Severity CVSS v4.0: Pending analysis
Last modification:
25/11/2025

CVE-2025-65498
Publication date:
24/11/2025
NULL pointer dereference in coap_dtls_generate_cookie() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted DTLS handshake that triggers SSL_get_SSL_CTX() to return NULL.
Severity CVSS v4.0: Pending analysis
Last modification:
25/11/2025

CVE-2025-65499
Publication date:
24/11/2025
Array index error in tls_verify_call_back() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted DTLS handshake that triggers SSL_get_ex_data_X509_STORE_CTX_idx() to return -1.
Severity CVSS v4.0: Pending analysis
Last modification:
25/11/2025

CVE-2025-65500
Publication date:
24/11/2025
NULL pointer dereference in coap_dtls_generate_cookie() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted DTLS handshake that triggers SSL_get_SSL_CTX() to return NULL.
Severity CVSS v4.0: Pending analysis
Last modification:
25/11/2025

CVE-2025-65501
Publication date:
24/11/2025
Null pointer dereference in coap_dtls_info_callback() in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a DTLS handshake where SSL_get_app_data() returns NULL.
Severity CVSS v4.0: Pending analysis
Last modification:
25/11/2025

CVE-2025-65493
Publication date:
24/11/2025
NULL pointer dereference in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted DTLS/TLS connection that triggers BIO_get_data() to return NULL.
Severity CVSS v4.0: Pending analysis
Last modification:
25/11/2025

CVE-2025-65494
Publication date:
24/11/2025
NULL pointer dereference in get_san_or_cn_from_cert() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted X.509 certificate that causes sk_GENERAL_NAME_value() to return NULL.
Severity CVSS v4.0: Pending analysis
Last modification:
25/11/2025

CVE-2025-41016
Publication date:
24/11/2025
Inadequate access control vulnerability in Davantis DFUSION v6.177.7, which allows unauthorised actors to extract images and videos related to alarm events through access to “/alarms//”, where the “MEDIA” parameter can take the value of “snapshot” or “video.mp4”. These media files contain images recorded by security cameras in response to triggered alerts.
Severity CVSS v4.0: HIGH
Last modification:
25/11/2025
Subscribe to Vulnerabilities