Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-7707
Publication date:
13/10/2025
The llama_index library version 0.12.33 sets the NLTK data directory to a subdirectory of the codebase by default, which is world-writable in multi-user environments. This configuration allows local users to overwrite, delete, or corrupt NLTK data files, leading to potential denial of service, data tampering, or privilege escalation. The vulnerability arises from the use of a shared cache directory instead of a user-specific one, making it susceptible to local data tampering and denial of service.
Severity CVSS v4.0: Pending analysis
Last modification:
21/10/2025

CVE-2025-11695
Publication date:
13/10/2025
When tlsInsecure=False appears in a connection string, certificate validation is disabled.<br /> <br /> This vulnerability affects MongoDB Rust Driver versions prior to v3.2.5
Severity CVSS v4.0: Pending analysis
Last modification:
04/12/2025

CVE-2025-62244
Publication date:
13/10/2025
Insecure direct object reference (IDOR) vulnerability in Publications in Liferay Portal 7.3.1 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92, and 7.3 GA through update 36 allows remote authenticated attackers to view the edit page of a publication via the _com_liferay_change_tracking_web_portlet_PublicationsPortlet_ctCollectionId parameter.
Severity CVSS v4.0: MEDIUM
Last modification:
15/12/2025

CVE-2025-43991
Publication date:
13/10/2025
SupportAssist for Home PCs versions 4.8.2 and prior and SupportAssist for Business PCs versions 4.5.3 and prior, contain an UNIX Symbolic Link (Symlink) following vulnerability. A low privileged attacker with local access to the system could potentially exploit this vulnerability to delete arbitrary files only in that affected system.
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2025

CVE-2025-39964
Publication date:
13/10/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg<br /> <br /> Issuing two writes to the same af_alg socket is bogus as the<br /> data will be interleaved in an unpredictable fashion. Furthermore,<br /> concurrent writes may create inconsistencies in the internal<br /> socket state.<br /> <br /> Disallow this by adding a new ctx-&gt;write field that indiciates<br /> exclusive ownership for writing.
Severity CVSS v4.0: Pending analysis
Last modification:
14/10/2025

CVE-2025-39965
Publication date:
13/10/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> xfrm: xfrm_alloc_spi shouldn&amp;#39;t use 0 as SPI<br /> <br /> x-&gt;id.spi == 0 means "no SPI assigned", but since commit<br /> 94f39804d891 ("xfrm: Duplicate SPI Handling"), we now create states<br /> and add them to the byspi list with this value.<br /> <br /> __xfrm_state_delete doesn&amp;#39;t remove those states from the byspi list,<br /> since they shouldn&amp;#39;t be there, and this shows up as a UAF the next<br /> time we go through the byspi list.
Severity CVSS v4.0: Pending analysis
Last modification:
14/10/2025

CVE-2025-37729
Publication date:
13/10/2025
Improper neutralization of special elements used in a template engine in Elastic Cloud Enterprise (ECE) can lead to a malicious actor with Admin access exfiltrating sensitive information and issuing commands via a specially crafted string where Jinjava variables are evaluated.
Severity CVSS v4.0: Pending analysis
Last modification:
11/12/2025

CVE-2025-6919
Publication date:
13/10/2025
Improper Neutralization of Special Elements used in an SQL Command (&amp;#39;SQL Injection&amp;#39;) vulnerability in Cats Information Technology Software Development Technologies Aykome License Tracking System allows SQL Injection.This issue affects Aykome License Tracking System: before Version dated 06.10.2025.
Severity CVSS v4.0: Pending analysis
Last modification:
14/10/2025

CVE-2025-9902
Publication date:
13/10/2025
Authorization Bypass Through User-Controlled Key vulnerability in AKIN Software Computer Import Export Industry and Trade Co. Ltd. QRMenu allows Privilege Abuse.This issue affects QRMenu: from 1.05.12 before Version dated 05.09.2025.
Severity CVSS v4.0: Pending analysis
Last modification:
14/10/2025

CVE-2025-11184
Publication date:
13/10/2025
Cross-site scripting vulnerability in QGIS QWC2 Registration GUI
Severity CVSS v4.0: MEDIUM
Last modification:
14/10/2025

CVE-2025-9336
Publication date:
13/10/2025
A stack buffer overflow has been identified in the AsIO3.sys driver. This vulnerability can be triggered by input manipulation, may leading to a system crash (BSOD) or other potentially undefined execution. <br /> Refer to the &amp;#39;Security Update for Armoury Crate App&amp;#39; section on the ASUS Security Advisory for more information.
Severity CVSS v4.0: MEDIUM
Last modification:
14/10/2025

CVE-2025-9337
Publication date:
13/10/2025
A null pointer dereference has been identified in the AsIO3.sys driver. The vulnerability can be triggered by a specially crafted input, which may lead to a system crash (BSOD).<br /> Refer to the &amp;#39;Security Update for Armoury Crate App&amp;#39; section on the ASUS Security Advisory for more information.
Severity CVSS v4.0: MEDIUM
Last modification:
14/10/2025
Subscribe to Vulnerabilities