Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-50637
Publication date:
09/12/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cpufreq: qcom-hw: Fix memory leak in qcom_cpufreq_hw_read_lut()<br /> <br /> If "cpu_dev" fails to get opp table in qcom_cpufreq_hw_read_lut(),<br /> the program will return, resulting in "table" resource is not released.
Severity CVSS v4.0: Pending analysis
Last modification:
09/12/2025

CVE-2022-50631
Publication date:
09/12/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RISC-V: kexec: Fix memory leak of fdt buffer<br /> <br /> This is reported by kmemleak detector:<br /> <br /> unreferenced object 0xff60000082864000 (size 9588):<br /> comm "kexec", pid 146, jiffies 4294900634 (age 64.788s)<br /> hex dump (first 32 bytes):<br /> d0 0d fe ed 00 00 12 ed 00 00 00 48 00 00 11 40 ...........H...@<br /> 00 00 00 28 00 00 00 11 00 00 00 02 00 00 00 00 ...(............<br /> backtrace:<br /> [] kmemleak_alloc+0x34/0x3e<br /> [] kmalloc_order+0x9c/0xc4<br /> [] kmalloc_order_trace+0x34/0xb6<br /> [] __kmalloc+0x5c2/0x62a<br /> [] kvmalloc_node+0x66/0xd6<br /> [] of_kexec_alloc_and_setup_fdt+0xa6/0x6ea<br /> [] elf_kexec_load+0x206/0x4ec<br /> [] kexec_image_load_default+0x40/0x4c<br /> [] sys_kexec_file_load+0x1c4/0x322<br /> [] ret_from_syscall+0x0/0x2<br /> <br /> In elf_kexec_load(), a buffer is allocated via kvmalloc() to store fdt.<br /> While it&amp;#39;s not freed back to system when kexec kernel is reloaded or<br /> unloaded. Then memory leak is caused. Fix it by introducing riscv<br /> specific function arch_kimage_file_post_load_cleanup(), and freeing the<br /> buffer there.
Severity CVSS v4.0: Pending analysis
Last modification:
09/12/2025

CVE-2013-10031
Publication date:
09/12/2025
Plack-Middleware-Session versions before 0.17 may be vulnerable to HMAC comparison timing attacks
Severity CVSS v4.0: Pending analysis
Last modification:
09/12/2025

CVE-2025-66204
Publication date:
09/12/2025
WBCE CMS is a content management system. Version 1.6.4 contains a brute-force protection bypass where an attacker can indefinitely reset the counter by modifying `X-Forwarded-For` on each request, gaining unlimited password guessing attempts, effectively bypassing all brute-force protection. The application fully trusts the `X-Forwarded-For` header without validating it or restricting its usage. This issue is fixed in version 1.6.5.
Severity CVSS v4.0: MEDIUM
Last modification:
09/12/2025

CVE-2025-66469
Publication date:
09/12/2025
NiceGUI is a Python-based UI framework. Versions 3.3.1 and below are vulnerable to Reflected XSS through its ui.add_css, ui.add_scss, and ui.add_sass functions. The functions lack proper sanitization or encoding for the JavaScript context they generate. An attacker can break out of the intended or tags by injecting closing tags (e.g., or ), allowing for the execution of arbitrary JavaScript. This issue is fixed in version 3.4.0.
Severity CVSS v4.0: Pending analysis
Last modification:
09/12/2025

CVE-2025-65962
Publication date:
09/12/2025
Tuleap is a free and open source suite for management of software development and collaboration. Versions of Tuleap Community Edition prior to 17.0.99.1763803709 and Tuleap Enterprise Edition versions prior to 17.0-4 and 16.13-9 are mission CSRF protections in its tracker field dependencies, allowing attackers to modify tracker fields. This issue is fixed in Tuleap Community Edition version 17.0.99.1763803709 and Tuleap Enterprise Edition versions 17.0-4 and 16.13-9.
Severity CVSS v4.0: Pending analysis
Last modification:
09/12/2025

CVE-2025-65964
Publication date:
09/12/2025
n8n is an open source workflow automation platform. Versions 0.123.1 through 1.119.1 do not have adequate protections to prevent RCE through the project&amp;#39;s pre-commit hooks. The Add Config operation allows workflows to set arbitrary Git configuration values, including core.hooksPath, which can point to a malicious Git hook that executes arbitrary commands on the n8n host during subsequent Git operations. Exploitation requires the ability to create or modify an n8n workflow using the Git node. This issue is fixed in version 1.119.2. Workarounds include excluding the Git Node (Docs) and avoiding cloning or interacting with untrusted repositories using the Git Node.
Severity CVSS v4.0: CRITICAL
Last modification:
09/12/2025

CVE-2025-66202
Publication date:
09/12/2025
Astro is a web framework. Versions 5.15.7 and below have a double URL encoding bypass which allows any unauthenticated attacker to bypass path-based authentication checks in Astro middleware, granting unauthorized access to protected routes. While the original CVE-2025-64765 was fixed in v5.15.8, the fix is insufficient as it only decodes once. By using double-encoded URLs, attackers can still bypass authentication and access any route protected by middleware pathname checks. This issue is fixed in version 5.15.8.
Severity CVSS v4.0: Pending analysis
Last modification:
09/12/2025

CVE-2025-64498
Publication date:
08/12/2025
Tuleap is an Open Source Suite for management of software development and collaboration. Tuleap Community Edition versions below 17.0.99.1762444754 and Tuleap Enterprise Edition versions prior to 17.0-2, 16.13-7 and 16.12-10 allow attackers trick victims into changing tracker general settings. This issue is fixed in version Tuleap Community Edition version 17.0.99.1762444754 and Tuleap Enterprise Edition versions 17.0-2, 16.13-7 and 16.12-10.
Severity CVSS v4.0: Pending analysis
Last modification:
08/12/2025

CVE-2025-64499
Publication date:
08/12/2025
Tuleap is a free and open source suite for management of software development and collaboration. Tuleap Community Editon versions prior to 17.0.99.1762456922 and Tuleap Enterprise Edition versions prior to 17.0-2, 16.13-7 and 16.12-10 are vulnerable to CSRF attacks through planning management API. Attackers have access to create, edit or remove plans. This issue is fixed in Tuleap Community Edition version 17.0.99.1762456922 and Tuleap Enterprise Edtion versions 17.0-2, 16.13-7 and 16.12-10.
Severity CVSS v4.0: Pending analysis
Last modification:
08/12/2025

CVE-2025-64760
Publication date:
08/12/2025
Tuleap is a free and open source suite for management of software development and collaboration. Versions of Tuleap Community Edition prior to 17.0.99.1763126988 and Tuleap Enterprise Edition prior to 17.0-3 and 16.13-8 have missing CSRF protections which allow attackers to create or remove tracker triggers. This issue is fixed in Tuleap Community Edition version 17.0.99.1763126988 and Tuleap Enterprise Edition versions 17.0-3 and 16.13-8.
Severity CVSS v4.0: Pending analysis
Last modification:
08/12/2025

CVE-2025-36140
Publication date:
08/12/2025
IBM watsonx.data 2.2 through 2.2.1 could allow an authenticated user to cause a denial of service through ingestion pods due to improper allocation of resources without limits.
Severity CVSS v4.0: Pending analysis
Last modification:
08/12/2025
Subscribe to Vulnerabilities