Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-9613
Publication date:
09/12/2025
A vulnerability was discovered in the PCI Express (PCIe) Integrity and Data Encryption (IDE) specification, where insufficient guidance on tag reuse after completion timeouts may allow multiple outstanding Non-Posted Requests to share the same tag. This tag aliasing condition can result in completions being delivered to the wrong security context, potentially compromising data integrity and confidentiality.
Severity CVSS v4.0: Pending analysis
Last modification:
10/12/2025

CVE-2025-9614
Publication date:
09/12/2025
An issue was discovered in the PCI Express (PCIe) Integrity and Data Encryption (IDE) specification, where insufficient guidance on re-keying and stream flushing during device rebinding may allow stale write transactions from a previous security context to be processed in a new one. This can lead to unintended data access across trusted domains, compromising confidentiality and integrity.
Severity CVSS v4.0: Pending analysis
Last modification:
10/12/2025

CVE-2025-65300
Publication date:
09/12/2025
A stored Cross-Site Scripting (XSS) vulnerability exists in the Coohom SaaS Platform feVersion=1760060603897 (2025-10-28) in the Account Settings module, where unsanitized user input in Address fields (City, State, Country/Region) is rendered back to the page. Attackers can inject arbitrary JavaScript code, which executes when the affected profile page is viewed. This can lead to session hijacking, cookie theft, or arbitrary script execution in the victim's browser.
Severity CVSS v4.0: Pending analysis
Last modification:
09/12/2025

CVE-2025-65572
Publication date:
09/12/2025
Cross Site Scripting (XSS) vulnerability in AllskyTeam AllSky v2024.12.06_06 allows remote attackers to execute arbitrary code via the (1) config, (2) filename, or (3) extratext parameter to allskySettings.php. When the page is reloaded or when user visits allskySettings.php, the showMessages() function in status_messages.php will print out the error messages and execute the script injected by the attacker.
Severity CVSS v4.0: Pending analysis
Last modification:
09/12/2025

CVE-2025-65573
Publication date:
09/12/2025
Cross Site Request Forgery (CSRF) vulnerability in AllskyTeam AllSky v2024.12.06_06 allows remote attackers to cause a denial of service via function handle_interface_POST_and_status.
Severity CVSS v4.0: Pending analysis
Last modification:
09/12/2025

CVE-2025-65882
Publication date:
09/12/2025
An issue was discovered in openmptcprouter thru 0.64 in file common/package/utils/sys-upgrade-helper/src/tools/sysupgrade.c in function create_xor_ipad_opad allowing attackers to potentially write arbitrary files or execute arbitrary commands.
Severity CVSS v4.0: Pending analysis
Last modification:
09/12/2025

CVE-2025-14335
Publication date:
09/12/2025
A vulnerability has been found in itsourcecode Student Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /new_school_year.php. The manipulation of the argument sy leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
09/12/2025

CVE-2025-14336
Publication date:
09/12/2025
A vulnerability was found in itsourcecode Student Management System 1.0. Affected by this issue is some unknown functionality of the file /promote.php. The manipulation of the argument sy results in sql injection. It is possible to launch the attack remotely. The exploit has been made public and could be used.
Severity CVSS v4.0: MEDIUM
Last modification:
09/12/2025

CVE-2025-14334
Publication date:
09/12/2025
A flaw has been found in itsourcecode Student Management System 1.0. Affected is an unknown function of the file /new_adviser.php. Executing manipulation of the argument Name can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
09/12/2025

CVE-2025-11531
Publication date:
09/12/2025
HP System Event Utility and Omen Gaming Hub might allow execution of <br /> certain files outside of their restricted paths. This<br /> potential vulnerability was remediated with HP System <br /> Event Utility version 3.2.12 and Omen Gaming Hub version <br /> 1101.2511.101.0.
Severity CVSS v4.0: MEDIUM
Last modification:
09/12/2025

CVE-2025-65594
Publication date:
09/12/2025
OpenSIS 9.2 and below is vulnerable to Incorrect Access Control in Student.php, which allows an authenticated low-privilege user to perform unauthorized database write operations relating to the data of other users.
Severity CVSS v4.0: Pending analysis
Last modification:
10/12/2025

CVE-2025-64679
Publication date:
09/12/2025
Heap-based buffer overflow in Windows DWM Core Library allows an authorized attacker to elevate privileges locally.
Severity CVSS v4.0: Pending analysis
Last modification:
09/12/2025
Subscribe to Vulnerabilities