Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-71287
Publication date:
06/05/2026
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> memory: mtk-smi: fix device leak on larb probe<br /> <br /> Make sure to drop the reference taken when looking up the SMI device<br /> during larb probe on late probe failure (e.g. probe deferral) and on<br /> driver unbind.
Severity CVSS v4.0: Pending analysis
Last modification:
13/05/2026

CVE-2025-31951
Publication date:
06/05/2026
HCL BigFix RunBookAI is affected by a Unvalidated Command Input / Potential Command Smuggling vulnerability. A flaw in a component&amp;#39;s input handling was identified that could permit unauthorized command execution.
Severity CVSS v4.0: Pending analysis
Last modification:
06/05/2026

CVE-2025-62345
Publication date:
06/05/2026
HCL BigFix RunBookAI is affected by a Continued availability of Less-Secure “Input Text” Vulnerability . A component contains a security weakness in its input handling implementation, increasing the risk of misconfiguration and operational errors.
Severity CVSS v4.0: Pending analysis
Last modification:
06/05/2026

CVE-2026-6420
Publication date:
06/05/2026
A flaw was found in Keylime. An attacker with root access on an enrolled monitored machine, where the Keylime agent runs, can exploit a vulnerability in the Keylime verifier. The verifier uses a hardcoded challenge nonce for Trusted Platform Module (TPM) quote attestation instead of a cryptographically random value. This allows the attacker to stockpile valid TPM quotes and replay them to evade detection after compromising the system. This issue affects only the push model deployment.
Severity CVSS v4.0: Pending analysis
Last modification:
07/05/2026

CVE-2025-59854
Publication date:
06/05/2026
HCL DFXAnalytics is affected by an Insecure Security Header Configuration vulnerability where the application utilizes the outdated X-XSS-Protection header, which could allow an attacker to exploit browser-specific rendering flaws or bypass security controls that should instead be managed by a robust Content Security Policy (CSP).
Severity CVSS v4.0: Pending analysis
Last modification:
07/05/2026

CVE-2025-59853
Publication date:
06/05/2026
HCL DFXAnalytics is affected by an Improper Error Handling vulnerability where the application exposes detailed stack traces in responses, which could allow an attacker to gain insights into the application&amp;#39;s internal structure, code logic, and environment configurations.
Severity CVSS v4.0: Pending analysis
Last modification:
07/05/2026

CVE-2025-59852
Publication date:
06/05/2026
HCL DFXAnalytics is affected by an Insufficient Transport Layer Protection vulnerability where data is transmitted over the network without encryption, which could allow an attacker to compromise the confidentiality, integrity, and authentication of sensitive information.
Severity CVSS v4.0: Pending analysis
Last modification:
07/05/2026

CVE-2025-59851
Publication date:
06/05/2026
HCL DFXAnalytics is affected by a Using Components with Known Vulnerabilities flaw where the application utilizes unpatched libraries or sub-components, which could allow an attacker to identify and exploit publicly known security vulnerabilities to gain unauthorized access or compromise the application.
Severity CVSS v4.0: Pending analysis
Last modification:
07/05/2026

CVE-2025-31970
Publication date:
06/05/2026
HCL DFXAnalytics is affected by an Insecure Security Header configuration vulnerability where the Content-Security-Policy does not define strict directives for object-src and base-uri, which could allow an attacker to exploit injection vectors such as Cross-Site Scripting (XSS)
Severity CVSS v4.0: Pending analysis
Last modification:
07/05/2026

CVE-2026-43975
Publication date:
06/05/2026
FolderUploadsFileManager in Apache Wicket does not validate or sanitize the uploadFieldId parameter or the clientFileName<br /> before constructing file paths, allowing an unauthenticated attacker to<br /> write arbitrary files outside the intended upload directory or read <br /> files from arbitrary locations on the server.<br /> <br /> This issue affects Apache Wicket: from 8.0.0 through 8.17.0, from 9.0.0 through 9.22.0, from 10.0.0 through 10.8.0.<br /> <br /> Users are recommended to upgrade to version 10.9.0, which fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
06/05/2026

CVE-2026-43646
Publication date:
06/05/2026
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Wicket.<br /> <br /> This issue affects Apache Wicket: from 8.0.0 through 8.17.0, from 9.0.0 through 9.22.0, from 10.0.0 through 10.8.0.<br /> <br /> Users are recommended to upgrade to version 10.9.0, which fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
06/05/2026

CVE-2026-6860
Publication date:
06/05/2026
A TCP client can perform a TLS handshake and present the server name extension with a server name that is accepted by a server wildcard name, e.g. if the server is configured with a certificate accepting *.example.com, any XYZ.example.com where xyz is a valid name can be used.
Severity CVSS v4.0: MEDIUM
Last modification:
12/05/2026
Subscribe to Vulnerabilities