Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-68381
Publication date:
18/12/2025
Improper Bounds Check (CWE-787) in Packetbeat can allow a remote unauthenticated attacker to exploit a Buffer Overflow (CAPEC-100) and reliably crash the application or cause significant resource exhaustion via a single crafted UDP packet with an invalid fragment sequence number.
Severity CVSS v4.0: Pending analysis
Last modification:
19/12/2025

CVE-2025-68382
Publication date:
18/12/2025
Out-of-bounds read (CWE-125) allows an unauthenticated remote attacker to perform a buffer overflow (CAPEC-100) via the NFS protocol dissector, leading to a denial-of-service (DoS) through a reliable process crash when handling truncated XDR-encoded RPC messages.
Severity CVSS v4.0: Pending analysis
Last modification:
19/12/2025

CVE-2025-68383
Publication date:
18/12/2025
Improper Validation of Specified Index, Position, or Offset in Input (CWE-1285) in Filebeat Syslog parser and the Libbeat Dissect processor can allow a user to trigger a Buffer Overflow (CAPEC-100) and cause a denial of service (panic/crash) of the Filebeat process via either a malformed Syslog message or a malicious tokenizer pattern in the Dissect configuration.
Severity CVSS v4.0: Pending analysis
Last modification:
19/12/2025

CVE-2025-68384
Publication date:
18/12/2025
Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) causing a persistent denial of service (OOM crash) via submission of oversized user settings data.
Severity CVSS v4.0: Pending analysis
Last modification:
19/12/2025

CVE-2025-68388
Publication date:
18/12/2025
Allocation of resources without limits or throttling (CWE-770) allows an unauthenticated remote attacker to cause excessive allocation (CAPEC-130) of memory and CPU via the integration of malicious IPv4 fragments, leading to a degradation in Packetbeat.
Severity CVSS v4.0: Pending analysis
Last modification:
19/12/2025

CVE-2025-64677
Publication date:
18/12/2025
Improper neutralization of input during web page generation ('cross-site scripting') in Office Out-of-Box Experience allows an unauthorized attacker to perform spoofing over a network.
Severity CVSS v4.0: Pending analysis
Last modification:
19/12/2025

CVE-2025-65037
Publication date:
18/12/2025
Improper control of generation of code ('code injection') in Azure Container Apps allows an unauthorized attacker to execute code over a network.
Severity CVSS v4.0: Pending analysis
Last modification:
19/12/2025

CVE-2025-65041
Publication date:
18/12/2025
Improper authorization in Microsoft Partner Center allows an unauthorized attacker to elevate privileges over a network.
Severity CVSS v4.0: Pending analysis
Last modification:
19/12/2025

CVE-2025-65046
Publication date:
18/12/2025
Microsoft Edge (Chromium-based) Spoofing Vulnerability
Severity CVSS v4.0: Pending analysis
Last modification:
19/12/2025

CVE-2025-64663
Publication date:
18/12/2025
Custom Question Answering Elevation of Privilege Vulnerability
Severity CVSS v4.0: Pending analysis
Last modification:
19/12/2025

CVE-2025-64676
Publication date:
18/12/2025
'.../...//' in Microsoft Purview allows an authorized attacker to execute code over a network.
Severity CVSS v4.0: Pending analysis
Last modification:
19/12/2025

CVE-2025-34449
Publication date:
18/12/2025
Genymobile/scrcpy versions up to and including 3.3.3 and prior to commit 3e40b24 contain a global buffer overflow vulnerability in the function sc_read32be, invoked via sc_device_msg_deserialize() and process_msgs(). Processing crafted device messages can cause reads beyond the bounds of a global buffer, leading to memory corruption or crashes. This vulnerability can be exploited to cause a denial of service and, under certain conditions, may be leveraged for further exploitation depending on the execution environment and available mitigations.
Severity CVSS v4.0: MEDIUM
Last modification:
19/12/2025
Subscribe to Vulnerabilities