Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-12832
Publication date:
08/12/2025
IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.
Severity CVSS v4.0: Pending analysis
Last modification:
10/12/2025

CVE-2025-12635
Publication date:
08/12/2025
IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 25.0.0.12 are affected by cross-site scripting due to improper validation of user-supplied input. An attacker could exploit this vulnerability by using a specially crafted URL to redirect the user to a malicious site.
Severity CVSS v4.0: Pending analysis
Last modification:
11/12/2025

CVE-2025-65228
Publication date:
08/12/2025
A stored cross-site scripting vulnerability exists in the web management interface of the R.V.R. Elettronica TLK302T telemetry controller (firmware 1.5.1799).
Severity CVSS v4.0: Pending analysis
Last modification:
11/12/2025

CVE-2025-65230
Publication date:
08/12/2025
Barix Instreamer v04.06 and v04.05 contains a stored cross-site scripting (XSS) vulnerability in the Web UI Configuration Streaming Destination input.
Severity CVSS v4.0: Pending analysis
Last modification:
17/12/2025

CVE-2025-65229
Publication date:
08/12/2025
A stored cross-site scripting (XSS) vulnerability exists in the web interface of Lyrion Music Server
Severity CVSS v4.0: Pending analysis
Last modification:
20/01/2026

CVE-2025-65849
Publication date:
08/12/2025
A cryptanalytic break in Altcha Proof-of-Work obfuscation mode version 0.8.0 and later allows for remote visitors to recover the Proof-of-Work nonce in constant time via mathematical deduction. NOTE: this is disputed by the Supplier because the product's objective is "to discourage automated scraping / bots, not guarantee resistance to determined attackers." The documentation states “the goal is not to provide a secure cryptographic algorithm but to use a proof-of-work mechanism that allows any capable device to decrypt the hidden data.”
Severity CVSS v4.0: Pending analysis
Last modification:
11/12/2025

CVE-2025-65271
Publication date:
08/12/2025
Client-side template injection (CSTI) in Azuriom CMS admin dashboard allows a low-privilege user to execute arbitrary template code in the context of an administrator's session. This can occur via plugins or dashboard components that render untrusted user input, potentially enabling privilege escalation to an administrative account. Fixed in Azuriom 1.2.7.
Severity CVSS v4.0: Pending analysis
Last modification:
12/12/2025

CVE-2025-65548
Publication date:
08/12/2025
NUT-14 allows cashu tokens to be created with a preimage hash. However, nutshell (cashubtc/nuts) before 0.18.0 do not validate the size of preimage when the token is spent. The preimage is stored by the mint and attacker can exploit this vulnerability to fill the mint's db nd disk with arbitrary data.
Severity CVSS v4.0: Pending analysis
Last modification:
15/12/2025

CVE-2025-65231
Publication date:
08/12/2025
Barix Instreamer v04.06 and earlier is vulnerable to Cross Site Scripting (XSS) in the Web UI I/O & Serial configuration page, specifically the CTS close command user-input field which is stored and later rendered on the Status page.
Severity CVSS v4.0: Pending analysis
Last modification:
17/12/2025

CVE-2025-14261
Publication date:
08/12/2025
The Litmus platform uses JWT for authentication and authorization, but the secret being used for signing the JWT is only 6 bytes long at its core, which makes it extremely easy to crack.
Severity CVSS v4.0: Pending analysis
Last modification:
09/12/2025

CVE-2025-65804
Publication date:
08/12/2025
Tenda AX3 v16.03.12.11 contains a stack overflow in formSetIptv via the iptvType parameter, which can cause memory corruption and enable remote code execution (RCE).
Severity CVSS v4.0: Pending analysis
Last modification:
11/12/2025

CVE-2025-64081
Publication date:
08/12/2025
SQL injection vulnerability in /php/api_patient_schedule.php in SourceCodester Patients Waiting Area Queue Management System v1 allows attackers to execute arbitrary SQL commands via the appointmentID parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
08/12/2025
Subscribe to Vulnerabilities