Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-10283
Publication date:
09/10/2025
BBOT's gitdumper module could be abused to execute commands through a malicious git repository.
Severity CVSS v4.0: Pending analysis
Last modification:
14/10/2025

CVE-2025-10281
Publication date:
09/10/2025
BBOT's git_clone module could be abused to disclose a GitHub API key to an attacker controlled server with a malicious formatted git URL.
Severity CVSS v4.0: Pending analysis
Last modification:
14/10/2025

CVE-2025-56683
Publication date:
09/10/2025
A cross-site scripting (XSS) vulnerability in the component /app/marketplace.html of Logseq v0.10.9 allows attackers to execute arbitrary code via injecting arbitrary Javascript into a crafted README.md file.
Severity CVSS v4.0: Pending analysis
Last modification:
14/10/2025

CVE-2025-45095
Publication date:
09/10/2025
Lavasoft Web Companion (also known as Ad-Aware WebCompanion) versions 8.9.0.1091 through 12.1.3.1037 installs the DCIService.exe service with an unquoted service path vulnerability. An attacker with write access to the file system could potentially execute arbitrary code with elevated privileges by placing a malicious executable in the unquoted path.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2025

CVE-2025-32919
Publication date:
09/10/2025
Use of an insecure temporary directory in the Windows License plugin for the Checkmk Windows Agent allows Privilege Escalation. This issue affects Checkmk: from 2.4.0 before 2.4.0p13, from 2.3.0 before 2.3.0p38, from 2.2.0 before 2.2.0p46, and all versions of 2.1.0 (EOL).
Severity CVSS v4.0: HIGH
Last modification:
13/10/2025

CVE-2025-39664
Publication date:
09/10/2025
Insufficient escaping in the report scheduler within Checkmk
Severity CVSS v4.0: HIGH
Last modification:
13/10/2025

CVE-2025-32916
Publication date:
09/10/2025
Potential use of sensitive information in GET requests in Checkmk GmbH's Checkmk versions
Severity CVSS v4.0: LOW
Last modification:
09/10/2025

CVE-2025-62228
Publication date:
09/10/2025
Apache Flink CDC version 3.4.0 was vulnerable to a SQL injection via maliciously crafted identifiers eg. crafted database name or crafted table name. Even through only the logged-in database user can trigger the attack, we recommend users update Flink CDC version to 3.5.0 which address this issue.
Severity CVSS v4.0: MEDIUM
Last modification:
09/10/2025

CVE-2025-11561
Publication date:
09/10/2025
A flaw was found in the integration of Active Directory and the System Security Services Daemon (SSSD) on Linux systems. In default configurations, the Kerberos local authentication plugin (sssd_krb5_localauth_plugin) is enabled, but a fallback to the an2ln plugin is possible. This fallback allows an attacker with permission to modify certain AD attributes (such as userPrincipalName or samAccountName) to impersonate privileged users, potentially resulting in unauthorized access or privilege escalation on domain-joined Linux hosts.
Severity CVSS v4.0: Pending analysis
Last modification:
10/10/2025

CVE-2025-36225
Publication date:
09/10/2025
IBM Aspera 5.0.0 through 5.0.13.1 <br /> <br /> could disclose sensitive user information from the system to an authenticated user due to an observable discrepancy of returned data.
Severity CVSS v4.0: Pending analysis
Last modification:
14/10/2025

CVE-2025-36171
Publication date:
09/10/2025
IBM Aspera Faspex 5.0.0 through 5.0.13.1 could allow a privileged user to cause a denial of service from improperly validated API input due to excessive resource consumption.
Severity CVSS v4.0: Pending analysis
Last modification:
14/10/2025

CVE-2023-37401
Publication date:
09/10/2025
IBM Aspera Faspex 5.0.0 through 5.0.13.1 uses a cross-domain policy file that includes domains that should not be trusted.
Severity CVSS v4.0: Pending analysis
Last modification:
14/10/2025
Subscribe to Vulnerabilities