Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-54607
Publication date:
06/08/2025
Authentication management vulnerability in the ArkWeb module.<br /> Impact: Successful exploitation of this vulnerability may affect service confidentiality.
Severity CVSS v4.0: Pending analysis
Last modification:
06/08/2025

CVE-2025-54608
Publication date:
06/08/2025
Vulnerability that allows setting screen rotation direction without permission verification in the screen management module.<br /> Impact: Successful exploitation of this vulnerability may cause device screen orientation to be arbitrarily set.
Severity CVSS v4.0: Pending analysis
Last modification:
06/08/2025

CVE-2025-54609
Publication date:
06/08/2025
Out-of-bounds access vulnerability in the audio codec module.<br /> Impact: Successful exploitation of this vulnerability may affect availability.
Severity CVSS v4.0: Pending analysis
Last modification:
12/08/2025

CVE-2025-54653
Publication date:
06/08/2025
Path traversal vulnerability in the virtualization file module. Successful exploitation of this vulnerability may affect the confidentiality of the virtualization file module.
Severity CVSS v4.0: Pending analysis
Last modification:
06/08/2025

CVE-2025-54655
Publication date:
06/08/2025
Race condition vulnerability in the virtualization base module. Successful exploitation of this vulnerability may affect the confidentiality and integrity of the virtualization graphics module.
Severity CVSS v4.0: Pending analysis
Last modification:
06/08/2025

CVE-2025-54652
Publication date:
06/08/2025
Path traversal vulnerability in the virtualization base module. Successful exploitation of this vulnerability may affect the confidentiality of the virtualization module.
Severity CVSS v4.0: Pending analysis
Last modification:
06/08/2025

CVE-2025-54883
Publication date:
06/08/2025
Vision UI is a collection of enterprise-grade, dependency-free modules for modern web projects. In versions 1.4.0 and below, the getSecureRandomInt function in security-kit versions prior to 3.5.0 (packaged in Vision-ui
Severity CVSS v4.0: CRITICAL
Last modification:
06/08/2025

CVE-2025-54884
Publication date:
06/08/2025
Vision UI is a collection of enterprise-grade, dependency-free modules for modern web projects. In versions 1.4.0 and below, the generateSecureId and getSecureRandomInt functions in security-kit versions prior to 3.5.0 (packaged in Vision UI 1.4.0 and below) are vulnerable to Denial of Service (DoS) attacks. The generateSecureId(length) function directly used the length parameter to size a Uint8Array buffer, allowing attackers to exhaust server memory through repeated requests for large IDs since the previous 1024 limit was insufficient. The getSecureRandomInt(min, max) function calculated buffer size based on the range between min and max, where large ranges caused excessive memory allocation and CPU-intensive rejection-sampling loops that could hang the thread. This issue is fixed in version 1.5.0.
Severity CVSS v4.0: HIGH
Last modification:
06/08/2025

CVE-2025-54873
Publication date:
06/08/2025
RISC Zero is a zero-knowledge verifiable general computing platform based on zk-STARKs and the RISC-V microarchitecture. RISC packages risc0-zkvm versions 2.0.0 through 2.1.0 and risc0-circuit-rv32im and risc0-circuit-rv32im-sys versions 2.0.0 through 2.0.4 contain vulnerabilities where signed integer division allows multiple outputs for certain inputs with only one being valid, and division by zero results are underconstrained. This issue is fixed in risc0-zkvm version 2.2.0 and version 3.0.0 for the risc0-circuit-rv32im and risc0-circuit-rv32im-sys packages.
Severity CVSS v4.0: LOW
Last modification:
06/08/2025

CVE-2025-54876
Publication date:
06/08/2025
The Janssen Project is an open-source identity and access management (IAM) platform. In versions 1.9.0 and below, Janssen stores passwords in plaintext in the local cli_cmd.log file. This is fixed in the nightly prerelease.
Severity CVSS v4.0: MEDIUM
Last modification:
06/08/2025

CVE-2025-54869
Publication date:
06/08/2025
FPDI is a collection of PHP classes that facilitate reading pages from existing PDF documents and using them as templates in FPDF. In versions 2.6.2 and below, any application that uses FPDI to process user-supplied PDF files is at risk, causing a Denial of Service (DoS) vulnerability. An attacker can upload a small, malicious PDF file that will cause the server-side script to crash due to memory exhaustion. Repeated attacks can lead to sustained service unavailability. This issue is fixed in version 2.6.3.
Severity CVSS v4.0: MEDIUM
Last modification:
06/08/2025

CVE-2025-54872
Publication date:
06/08/2025
onion-site-template is a complete, scalable tor hidden service self-hosting sample. Versions which include commit 3196bd89 contain a baked-in tor image if the secrets were copied from an existing onion domain. A website could be compromised if a user shared the baked-in image, or if someone were able to acquire access to the user&amp;#39;s device outside of a containerized environment. This is fixed by commit bc9ba0fd.
Severity CVSS v4.0: HIGH
Last modification:
06/08/2025
Subscribe to Vulnerabilities