Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-62491
Publication date:
16/10/2025
A Use-After-Free (UAF) vulnerability exists in the QuickJS engine&amp;#39;s standard library when iterating over the global list of unhandled rejected promises (ts-&gt;rejected_promise_list).<br /> <br /> * The function js_std_promise_rejection_check attempts to iterate over the rejected_promise_list to report unhandled rejections using a standard list loop.<br /> <br /> <br /> * The reason for a promise rejection is processed inside the loop, including calling js_std_dump_error1(ctx, rp-&gt;reason).<br /> <br /> <br /> * If the promise rejection reason is an Error object that defines a custom property getter (e.g., via Object.defineProperty), this getter is executed during the error dumping process.<br /> <br /> <br /> * The malicious custom getter can execute JavaScript code that calls catch() on the same rejected promise being processed.<br /> <br /> <br /> * Calling catch() internally triggers js_std_promise_rejection_tracker, which then removes and frees the current promise entry (JSRejectedPromiseEntry) from the rejected_promise_list.<br /> <br /> <br /> * Since the list iteration continues using the now-freed memory pointer (el), the subsequent loop access results in a Use-After-Free condition.
Severity CVSS v4.0: HIGH
Last modification:
30/10/2025

CVE-2025-62490
Publication date:
16/10/2025
In quickjs, in js_print_object, when printing an array, the function first fetches the array length and then loops over it. The issue is, printing a value is not side-effect free. An attacker-defined callback could run during js_print_value, during which the array could get resized and len1 become out of bounds. This results in a use-after-free.A second instance occurs in the same function during printing of a map or set objects. The code iterates over ms-&gt;records list, but once again, elements could be removed from the list during js_print_value call.
Severity CVSS v4.0: HIGH
Last modification:
30/10/2025

CVE-2025-55035
Publication date:
16/10/2025
Mattermost Desktop App versions
Severity CVSS v4.0: Pending analysis
Last modification:
29/10/2025

CVE-2025-11840
Publication date:
16/10/2025
A weakness has been identified in GNU Binutils 2.45. The affected element is the function vfinfo of the file ldmisc.c. Executing manipulation can lead to out-of-bounds read. The attack can only be executed locally. The exploit has been made available to the public and could be exploited. This patch is called 16357. It is best practice to apply a patch to resolve this issue.
Severity CVSS v4.0: MEDIUM
Last modification:
23/10/2025

CVE-2025-11842
Publication date:
16/10/2025
A security vulnerability has been detected in Shazwazza Smidge up to 4.5.1. The impacted element is an unknown function of the component Bundle Handler. The manipulation of the argument Version leads to path traversal. Remote exploitation of the attack is possible. Upgrading to version 4.6.0 is sufficient to resolve this issue. It is recommended to upgrade the affected component.
Severity CVSS v4.0: MEDIUM
Last modification:
21/10/2025

CVE-2025-11851
Publication date:
16/10/2025
A vulnerability has been found in Apeman ID71 EN75.8.53.20. The affected element is an unknown function of the file /set_alias.cgi. Such manipulation of the argument alias leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: MEDIUM
Last modification:
21/10/2025

CVE-2024-56143
Publication date:
16/10/2025
Strapi is an open-source headless content management system. In versions from 5.0.0 to before 5.5.2, the lookup operator provided by the document service does not properly sanitize query parameters for private fields. An attacker can access private fields, including admin passwords and reset tokens, by crafting queries with the lookup parameter. This vulnerability is fixed in 5.5.2.
Severity CVSS v4.0: Pending analysis
Last modification:
31/12/2025

CVE-2025-61536
Publication date:
16/10/2025
FelixRiddle dev-jobs-handlebars 1.0 uses absolute password-reset (magic) links using the untrusted `req.headers.host` header and forces the `http://` scheme. An attacker who can control the `Host` header (or exploit a misconfigured proxy/load-balancer that forwards the header unchanged) can cause reset links to point to attacker-controlled domains or be delivered via insecure HTTP, enabling token theft, phishing, and account takeover.
Severity CVSS v4.0: Pending analysis
Last modification:
16/10/2025

CVE-2025-61540
Publication date:
16/10/2025
SQL injection vulnerability in Ultimate PHP Board 2.2.7 via the username field in lostpassword.php.
Severity CVSS v4.0: Pending analysis
Last modification:
21/10/2025

CVE-2025-61543
Publication date:
16/10/2025
A Host Header Injection vulnerability exists in the password reset functionality of CraftMyCMS 4.0.2.2. The system uses `$_SERVER[&amp;#39;HTTP_HOST&amp;#39;]` directly to construct password reset links sent via email. An attacker can manipulate the Host header to send malicious reset links, enabling phishing attacks or account takeover.
Severity CVSS v4.0: Pending analysis
Last modification:
16/10/2025

CVE-2025-61539
Publication date:
16/10/2025
Cross site scripting (XSS) vulnerability in Ultimate PHP Board 2.2.7 via the u_name parameter in lostpassword.php.
Severity CVSS v4.0: Pending analysis
Last modification:
21/10/2025

CVE-2025-61541
Publication date:
16/10/2025
Webmin 2.510 is vulnerable to a Host Header Injection in the password reset functionality (forgot_send.cgi). The reset link sent to users is constructed using the HTTP Host header via get_webmin_email_url(). An attacker can manipulate the Host header to inject a malicious domain into the reset email. If a victim follows the poisoned link, the attacker can intercept the reset token and gain full control of the target account.
Severity CVSS v4.0: Pending analysis
Last modification:
06/11/2025
Subscribe to Vulnerabilities