Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-14372
Publication date:
12/12/2025
Use after free in Password Manager in Google Chrome prior to 143.0.7499.110 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
Severity CVSS v4.0: Pending analysis
Last modification:
12/12/2025

CVE-2024-14010
Publication date:
12/12/2025
Typora 1.7.4 contains a command injection vulnerability in the PDF export preferences that allows attackers to execute arbitrary system commands. Attackers can inject malicious commands into the 'run command' input field during PDF export to achieve remote code execution.
Severity CVSS v4.0: HIGH
Last modification:
12/12/2025

CVE-2024-58299
Publication date:
12/12/2025
PCMan FTP Server 2.0 contains a buffer overflow vulnerability in the 'pwd' command that allows remote attackers to execute arbitrary code. Attackers can send a specially crafted payload during the FTP login process to overwrite memory and potentially gain system access.
Severity CVSS v4.0: CRITICAL
Last modification:
12/12/2025

CVE-2025-8082
Publication date:
12/12/2025
Improper neutralization of the title date in the &amp;#39;VDatePicker&amp;#39; component in Vuetify, allows unsanitized HTML to be inserted into the page. This can lead to a Cross-Site Scripting (XSS) https://owasp.org/www-community/attacks/xss  attack. The vulnerability occurs because the &amp;#39;title-date-format&amp;#39; property of the &amp;#39;VDatePicker&amp;#39; can accept a user created function and assign its output to the &amp;#39;innerHTML&amp;#39; property of the title element without sanitization.<br /> <br /> This issue affects Vuetify versions greater than or equal to 2.0.0 and less than 3.0.0.<br /> <br /> Note:<br /> Version 2.x of Vuetify is End-of-Life and will not receive any updates to address this issue. For more information see here https://v2.vuetifyjs.com/en/about/eol/ .
Severity CVSS v4.0: Pending analysis
Last modification:
12/12/2025

CVE-2025-14571
Publication date:
12/12/2025
A vulnerability has been found in projectworlds Advanced Library Management System 1.0. Affected by this issue is some unknown functionality of the file /borrow_book.php. Such manipulation of the argument roll_number leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
12/12/2025

CVE-2025-14568
Publication date:
12/12/2025
A security vulnerability has been detected in haxxorsid Stock-Management-System up to fbbbf213e9c93b87183a3891f77e3cc7095f22b0. This impacts an unknown function of the file model/User.php. The manipulation of the argument employee_id/id/admin leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way. This vulnerability only affects products that are no longer supported by the maintainer.
Severity CVSS v4.0: MEDIUM
Last modification:
12/12/2025

CVE-2025-14569
Publication date:
12/12/2025
A vulnerability was detected in ggml-org whisper.cpp up to 1.8.2. Affected is the function read_audio_data of the file /whisper.cpp/examples/common-whisper.cpp. The manipulation results in use after free. The attack requires a local approach. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Severity CVSS v4.0: MEDIUM
Last modification:
12/12/2025

CVE-2025-14570
Publication date:
12/12/2025
A flaw has been found in projectworlds Advanced Library Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /view_admin.php. This manipulation of the argument admin_id causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
12/12/2025

CVE-2025-40345
Publication date:
12/12/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: storage: sddr55: Reject out-of-bound new_pba<br /> <br /> Discovered by Atuin - Automated Vulnerability Discovery Engine.<br /> <br /> new_pba comes from the status packet returned after each write.<br /> A bogus device could report values beyond the block count derived<br /> from info-&gt;capacity, letting the driver walk off the end of<br /> pba_to_lba[] and corrupt heap memory.<br /> <br /> Reject PBAs that exceed the computed block count and fail the<br /> transfer so we avoid touching out-of-range mapping entries.
Severity CVSS v4.0: Pending analysis
Last modification:
12/12/2025

CVE-2025-64011
Publication date:
12/12/2025
Nextcloud Server 30.0.0 is vulnerable to an Insecure Direct Object Reference (IDOR) in the /core/preview endpoint. Any authenticated user can access previews of arbitrary files belonging to other users by manipulating the fileId parameter. This allows unauthorized disclosure of sensitive data, such as text files or images, without prior sharing permissions.
Severity CVSS v4.0: Pending analysis
Last modification:
12/12/2025

CVE-2025-67342
Publication date:
12/12/2025
RuoYi versions 4.8.1 and earlier is affected by a stored XSS vulnerability in the /system/menu/edit endpoint. While the endpoint is protected by an XSS filter, the protection can be bypassed. Additionally, because the menu is shared across all users, any user with menu modification permissions can impact all users by exploiting this stored XSS vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
12/12/2025

CVE-2025-67818
Publication date:
12/12/2025
An issue was discovered in Weaviate OSS before 1.33.4. An attacker with access to insert data into the database can craft an entry name with an absolute path (e.g., /etc/...) or use parent directory traversal (../../..) to escape the restore root when a backup is restored, potentially creating or overwriting files in arbitrary locations within the application&amp;#39;s privilege scope.
Severity CVSS v4.0: Pending analysis
Last modification:
12/12/2025
Subscribe to Vulnerabilities