Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-12907
Publication date:
08/11/2025
Insufficient validation of untrusted input in Devtools in Google Chrome prior to 140.0.7339.80 allowed a remote attacker to execute arbitrary code via user action in Devtools. (Chromium security severity: Low)
Severity CVSS v4.0: Pending analysis
Last modification:
21/11/2025

CVE-2025-12906
Publication date:
08/11/2025
Inappropriate implementation in Permissions in Google Chrome prior to 140.0.7339.80 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
Severity CVSS v4.0: Pending analysis
Last modification:
21/11/2025

CVE-2025-12905
Publication date:
08/11/2025
Inappropriate implementation in Downloads in Google Chrome on Windows prior to 140.0.7339.80 allowed a remote attacker to bypass Mark of the Web via a crafted HTML page. (Chromium security severity: Low)
Severity CVSS v4.0: Pending analysis
Last modification:
21/11/2025

CVE-2025-64436
Publication date:
07/11/2025
KubeVirt is a virtual machine management add-on for Kubernetes. In 1.5.0 and earlier, the permissions granted to the virt-handler service account, such as the ability to update VMI and patch nodes, could be abused to force a VMI migration to an attacker-controlled node. This vulnerability could otherwise allow an attacker to mark all nodes as unschedulable, potentially forcing the migration or creation of privileged pods onto a compromised node.
Severity CVSS v4.0: MEDIUM
Last modification:
12/11/2025

CVE-2025-64437
Publication date:
07/11/2025
KubeVirt is a virtual machine management add-on for Kubernetes. In versions before 1.5.3 and 1.6.1, the virt-handler does not verify whether the launcher-sock is a symlink or a regular file. This oversight can be exploited, for example, to change the ownership of arbitrary files on the host node to the unprivileged user with UID 107 (the same user used by virt-launcher) thus, compromising the CIA (Confidentiality, Integrity and Availability) of data on the host. To successfully exploit this vulnerability, an attacker should be in control of the file system of the virt-launcher pod. This vulnerability is fixed in 1.5.3 and 1.6.1.
Severity CVSS v4.0: Pending analysis
Last modification:
12/11/2025

CVE-2025-64433
Publication date:
07/11/2025
KubeVirt is a virtual machine management add-on for Kubernetes. Prior to 1.5.3 and 1.6.1, a vulnerability was discovered that allows a VM to read arbitrary files from the virt-launcher pod's file system. This issue stems from improper symlink handling when mounting PVC disks into a VM. Specifically, if a malicious user has full or partial control over the contents of a PVC, they can create a symbolic link that points to a file within the virt-launcher pod's file system. Since libvirt can treat regular files as block devices, any file on the pod's file system that is symlinked in this way can be mounted into the VM and subsequently read. Although a security mechanism exists where VMs are executed as an unprivileged user with UID 107 inside the virt-launcher container, limiting the scope of accessible resources, this restriction is bypassed due to a second vulnerability. The latter causes the ownership of any file intended for mounting to be changed to the unprivileged user with UID 107 prior to mounting. As a result, an attacker can gain access to and read arbitrary files located within the virt-launcher pod's file system or on a mounted PVC from within the guest VM. This vulnerability is fixed in 1.5.3 and 1.6.1.
Severity CVSS v4.0: Pending analysis
Last modification:
12/11/2025

CVE-2025-64434
Publication date:
07/11/2025
KubeVirt is a virtual machine management add-on for Kubernetes. Prior to 1.5.3 and 1.6.1, due to the peer verification logic in virt-handler (via verifyPeerCert), an attacker who compromises a virt-handler instance, could exploit these shared credentials to impersonate virt-api and execute privileged operations against other virt-handler instances potentially compromising the integrity and availability of the VM managed by it. This vulnerability is fixed in 1.5.3 and 1.6.1.
Severity CVSS v4.0: Pending analysis
Last modification:
12/11/2025

CVE-2025-64435
Publication date:
07/11/2025
KubeVirt is a virtual machine management add-on for Kubernetes. Prior to 1.7.0-beta.0, a logic flaw in the virt-controller allows an attacker to disrupt the control over a running VMI by creating a pod with the same labels as the legitimate virt-launcher pod associated with the VMI. This can mislead the virt-controller into associating the fake pod with the VMI, resulting in incorrect status updates and potentially causing a DoS (Denial-of-Service). This vulnerability is fixed in 1.7.0-beta.0.
Severity CVSS v4.0: Pending analysis
Last modification:
12/11/2025

CVE-2025-37736
Publication date:
07/11/2025
Improper Authorization in Elastic Cloud Enterprise can lead to Privilege Escalation where the built-in readonly user can call APIs that should not be allowed. The list of APIs that are affected by this issue is:<br /> <br /> <br /> <br /> <br /> <br /> post:/platform/configuration/security/service-accounts<br /> delete:/platform/configuration/security/service-accounts/{user_id}<br /> patch:/platform/configuration/security/service-accounts/{user_id}<br /> post:/platform/configuration/security/service-accounts/{user_id}/keys<br /> delete:/platform/configuration/security/service-accounts/{user_id}/keys/{api_key_id}<br /> patch:/user<br /> post:/users<br /> post:/users/auth/keys<br /> delete:/users/auth/keys<br /> delete:/users/auth/keys/_all<br /> delete:/users/auth/keys/{api_key_id}<br /> delete:/users/{user_id}/auth/keys<br /> delete:/users/{user_id}/auth/keys/{api_key_id}<br /> delete:/users/{user_name}<br /> patch:/users/{user_name}
Severity CVSS v4.0: Pending analysis
Last modification:
12/11/2025

CVE-2025-60574
Publication date:
07/11/2025
A Local File Inclusion (LFI) vulnerability has been identified in tQuadra CMS 4.2.1117. The issue exists in the "/styles/" path, which fails to properly sanitize user-supplied input. An attacker can exploit this by sending a crafted GET request to retrieve arbitrary files from the underlying system.
Severity CVSS v4.0: Pending analysis
Last modification:
12/11/2025

CVE-2025-63420
Publication date:
07/11/2025
CrushFTP11 before 11.3.7_57 is vulnerable to stored HTML injection in the CrushFTP Admin Panel (Reports / "Who Created Folder"), enabling persistent HTML execution in admin sessions.
Severity CVSS v4.0: Pending analysis
Last modification:
12/11/2025

CVE-2025-12418
Publication date:
07/11/2025
Potential Denial of Service issue in all supported versions of Revenera InstallShield version 2025 R1, 2024 R2, 2023 R2, and prior. When e.g., a local administrator performs an uninstall, a symlink may get followed on removal of a user writeable configuration directory and induce a Denial of Service as a result. The issue is resolved through the hotfixes InstallShield2025R1-CVE-2025-12418-SecurityPatch, InstallShield2024R2-CVE-2025-12418-SecurityPatch, and InstallShield2023R2-CVE-2025-12418-SecurityPatch.
Severity CVSS v4.0: MEDIUM
Last modification:
12/11/2025
Subscribe to Vulnerabilities