Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-62719
Publication date:
04/11/2025
LinkAce is a self-hosted archive to collect website links. In versions 2.3.0 and below, the htmlKeywordsFromUrl function in the FetchController class accepts user-provided URLs and makes HTTP requests to them without validating that the destination is not an internal or private network resource. This Server-Side Request Forgery (SSRF) vulnerability allows authenticated attackers to use the application server to perform port scanning and service discovery on internal networks. Practical impact is very limited because the function only extracts content from HTML meta keywords tags, which prevents meaningful data exfiltration from databases, APIs, or cloud metadata endpoints. This issue is fixed in version 2.4.0.
Severity CVSS v4.0: LOW
Last modification:
10/11/2025

CVE-2025-62715
Publication date:
04/11/2025
ClipBucket v5 is an open source video sharing platform. Versions 5.5.2-#147 and below contain a stored Cross-Site Scripting (XSS) vulnerability in ClipBucket’s Collection tags feature. An authenticated normal user can create a tag containing HTML or JavaScript, which is later rendered unescaped in collection detail and tag-list pages. As a result, arbitrary JavaScript executes in the browsers of all users who view the affected pages. This issue is fixed in version 5.5.2-#152.
Severity CVSS v4.0: MEDIUM
Last modification:
10/11/2025

CVE-2025-62369
Publication date:
04/11/2025
Xibo is an open source digital signage platform with a web content management system (CMS). Versions 4.3.0 and below contain a Remote Code Execution vulnerability in the CMS Developer menu's Module Templating functionality, allowing authenticated users with "System -> Add/Edit custom modules and templates" permissions to manipulate Twig filters and execute arbitrary server-side functions as the web server user. This issue is fixed in version 4.3.1. To workaround this issue, use the 4.1 and 4.2 patch commits.
Severity CVSS v4.0: Pending analysis
Last modification:
08/12/2025

CVE-2025-62507
Publication date:
04/11/2025
Redis is an open source, in-memory database that persists on disk. In versions 8.2.0 and above, a user can run the XACKDEL command with multiple ID's and trigger a stack buffer overflow, which may potentially lead to remote code execution. This issue is fixed in version 8.2.3. To workaround this issue without patching the redis-server executable is to prevent users from executing XACKDEL operation. This can be done using ACL to restrict XACKDEL command.
Severity CVSS v4.0: HIGH
Last modification:
08/12/2025

CVE-2025-56230
Publication date:
04/11/2025
Tencent Docs Desktop 3.9.20 and earlier suffers from Missing SSL Certificate Validation in the update component.
Severity CVSS v4.0: Pending analysis
Last modification:
10/02/2026

CVE-2025-54526
Publication date:
04/11/2025
Fuji Electric Monitouch V-SFT-6 is vulnerable to a stack-based buffer <br /> overflow while processing a specially crafted project file, which may <br /> allow an attacker to execute arbitrary code.
Severity CVSS v4.0: HIGH
Last modification:
12/11/2025

CVE-2025-54496
Publication date:
04/11/2025
A maliciously crafted project file may cause a heap-based buffer <br /> overflow in <br /> Fuji Electric Monitouch V-SFT-6, which may allow the attacker to execute arbitrary code.
Severity CVSS v4.0: HIGH
Last modification:
12/11/2025

CVE-2025-54335
Publication date:
04/11/2025
An issue was discovered in the GPU driver in Samsung Mobile Processor Exynos 1480, 2400, 1580, 2500. There is a use-after-free in the Xclipse GPU Driver.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2025

CVE-2025-55155
Publication date:
04/11/2025
Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions 2.27.1 and below, when a user edits their profile to change their e-mail address, the system saves it without validating that it actually belongs to the user. This could result in storing an invalid email address, preventing the user from receiving system notifications. Notifications sent to another person&amp;#39;s email address could lead to information disclosure. This issue is fixed in version 2.27.2.
Severity CVSS v4.0: Pending analysis
Last modification:
10/11/2025

CVE-2025-52910
Publication date:
04/11/2025
An issue was discovered in the GPU in Samsung Mobile Processor and Wearable Processor Exynos 1280, 2200, 1330, 1380, 1480, 2400. A Use-After-Free leads to privilege escalation.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2025

CVE-2025-47776
Publication date:
04/11/2025
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Due to incorrect use of loose (==) instead of strict (===) comparison in the authentication code in versions 2.27.1 and below.PHP type juggling will cause certain MD5 hashes matching scientific notation to be interpreted as numbers. Instances using the MD5 login method allow an attacker who knows the victim&amp;#39;s username and has access to an account with a password hash that evaluates to zero to log in without knowing the victim&amp;#39;s actual password, by using any other password with a hash that also evaluates to zero This issue is fixed in version 2.27.2.
Severity CVSS v4.0: HIGH
Last modification:
10/11/2025

CVE-2025-48884
Publication date:
04/11/2025
Galette is a membership management web application for non profit organizations. In versions 1.1.5.2 and below, Galette&amp;#39;s Document Type is vulnerable to Cross-site Scripting. This issue is fixed in version 1.2.0.
Severity CVSS v4.0: MEDIUM
Last modification:
10/11/2025
Subscribe to Vulnerabilities