Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-65886
Publication date:
28/01/2026
A shape mismatch vulnerability in OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via supplying crafted tensor shapes.
Severity CVSS v4.0: Pending analysis
Last modification:
28/01/2026

CVE-2025-65887
Publication date:
28/01/2026
A division-by-zero vulnerability in the flow.floor_divide() component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input tensor with zero.
Severity CVSS v4.0: Pending analysis
Last modification:
28/01/2026

CVE-2025-65888
Publication date:
28/01/2026
A dimension validation flaw in the flow.empty() component of OneFlow 0.9.0 allows attackers to cause a Denial of Service (DoS) via a negative or excessively large dimension value.
Severity CVSS v4.0: Pending analysis
Last modification:
28/01/2026

CVE-2025-65889
Publication date:
28/01/2026
A type validation flaw in the flow.dstack() component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.
Severity CVSS v4.0: Pending analysis
Last modification:
28/01/2026

CVE-2025-65890
Publication date:
28/01/2026
A device-ID validation flaw in OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) by calling flow.cuda.synchronize() with an invalid or out-of-range GPU device index.
Severity CVSS v4.0: Pending analysis
Last modification:
28/01/2026

CVE-2025-13917
Publication date:
28/01/2026
WSS Agent, prior to 9.8.5, may be susceptible to a Elevation of Privilege vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user.
Severity CVSS v4.0: Pending analysis
Last modification:
28/01/2026

CVE-2025-13918
Publication date:
28/01/2026
Symantec Endpoint Protection, prior to 14.3 RU10 Patch 1, RU9 Patch 2, and RU8 Patch 3, may be susceptible to a Elevation of Privilege vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user.
Severity CVSS v4.0: Pending analysis
Last modification:
28/01/2026

CVE-2025-13919
Publication date:
28/01/2026
Symantec Endpoint Protection, prior to 14.3 RU10 Patch 1, RU9 Patch 2, and RU8 Patch 3, may be susceptible to a COM Hijacking vulnerability, which is a type of issue whereby an attacker attempts to establish persistence and evade detection by hijacking COM references in the Windows Registry.
Severity CVSS v4.0: Pending analysis
Last modification:
28/01/2026

CVE-2026-1536
Publication date:
28/01/2026
A flaw was found in libsoup. An attacker who can control the input for the Content-Disposition header can inject CRLF (Carriage Return Line Feed) sequences into the header value. These sequences are then interpreted verbatim when the HTTP request or response is constructed, allowing arbitrary HTTP headers to be injected. This vulnerability can lead to HTTP header injection or HTTP response splitting without requiring authentication or user interaction.
Severity CVSS v4.0: Pending analysis
Last modification:
28/01/2026

CVE-2026-1539
Publication date:
28/01/2026
A flaw was found in the libsoup HTTP library that can cause proxy authentication credentials to be sent to unintended destinations. When handling HTTP redirects, libsoup removes the Authorization header but does not remove the Proxy-Authorization header if the request is redirected to a different host. As a result, sensitive proxy credentials may be leaked to third-party servers. Applications using libsoup for HTTP communication may unintentionally expose proxy authentication data.
Severity CVSS v4.0: Pending analysis
Last modification:
28/01/2026

CVE-2026-23553
Publication date:
28/01/2026
In the context switch logic Xen attempts to skip an IBPB in the case of<br /> a vCPU returning to a CPU on which it was the previous vCPU to run.<br /> While safe for Xen&amp;#39;s isolation between vCPUs, this prevents the guest<br /> kernel correctly isolating between tasks. Consider:<br /> <br /> 1) vCPU runs on CPU A, running task 1.<br /> 2) vCPU moves to CPU B, idle gets scheduled on A. Xen skips IBPB.<br /> 3) On CPU B, guest kernel switches from task 1 to 2, issuing IBPB.<br /> 4) vCPU moves back to CPU A. Xen skips IBPB again.<br /> <br /> Now, task 2 is running on CPU A with task 1&amp;#39;s training still in the BTB.
Severity CVSS v4.0: Pending analysis
Last modification:
28/01/2026

CVE-2025-69517
Publication date:
28/01/2026
An issue in Amidaware Inc Tactical RMM v1.3.1 and before allows a remote attacker to execute arbitrary code via the /api/tacticalrmm/apiv3/views.py component
Severity CVSS v4.0: Pending analysis
Last modification:
28/01/2026
Subscribe to Vulnerabilities