Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-21481
Publication date:
24/09/2025
Memory corruption while performing private key encryption in trusted application.
Severity CVSS v4.0: Pending analysis
Last modification:
25/09/2025

CVE-2025-21483
Publication date:
24/09/2025
Memory corruption when the UE receives an RTP packet from the network, during the reassembly of NALUs.
Severity CVSS v4.0: Pending analysis
Last modification:
28/11/2025

CVE-2025-21482
Publication date:
24/09/2025
Cryptographic issue while performing RSA PKCS padding decoding.
Severity CVSS v4.0: Pending analysis
Last modification:
02/12/2025

CVE-2025-10360
Publication date:
24/09/2025
In Puppet Enterprise versions 2025.4.0 and 2025.5, the encryption key used for encrypting content in the Infra Assistant database was not excluded from the files gathered by Puppet backup. The key is only present on the system if the user has a Puppet Enterprise Advanced license and has enabled the Infra Assistant feature. The key is used for encrypting one particular bit of data in the Infra Assistant database: the API key for their AI provider account. This has been fixed in Puppet Enterprise version 2025.6, and release notes for 2025.6 have remediation steps for users of affected versions who can't update to the latest version.
Severity CVSS v4.0: MEDIUM
Last modification:
24/09/2025

CVE-2025-8869
Publication date:
24/09/2025
When extracting a tar archive pip may not check symbolic links point into the extraction directory if the tarfile module doesn&amp;#39;t implement PEP 706.<br /> Note that upgrading pip to a "fixed" version for this vulnerability doesn&amp;#39;t fix all known vulnerabilities that are remediated by using a Python version that implements PEP 706.<br /> <br /> Note that this is a vulnerability in pip&amp;#39;s fallback implementation of tar extraction for Python versions that don&amp;#39;t implement PEP 706<br /> and therefore are not secure to all vulnerabilities in the Python &amp;#39;tarfile&amp;#39; module. If you&amp;#39;re using a Python version that implements PEP 706<br /> then pip doesn&amp;#39;t use the "vulnerable" fallback code.<br /> <br /> Mitigations include upgrading to a version of pip that includes the fix, upgrading to a Python version that implements PEP 706 (Python &gt;=3.9.17, &gt;=3.10.12, &gt;=3.11.4, or &gt;=3.12),<br /> applying the linked patch, or inspecting source distributions (sdists) before installation as is already a best-practice.
Severity CVSS v4.0: MEDIUM
Last modification:
03/11/2025

CVE-2025-48868
Publication date:
24/09/2025
Horilla is a free and open source Human Resource Management System (HRMS). An authenticated Remote Code Execution (RCE) vulnerability exists in Horilla 1.3.0 due to the unsafe use of Python’s eval() function on a user-controlled query parameter in the project_bulk_archive view. This allows privileged users (e.g., administrators) to execute arbitrary system commands on the server. While having Django’s DEBUG=True makes exploitation visibly easier by returning command output in the HTTP response, this is not required. The vulnerability can still be exploited in DEBUG=False mode by using blind payloads such as a reverse shell, leading to full remote code execution. This issue has been patched in version 1.3.1.
Severity CVSS v4.0: Pending analysis
Last modification:
29/09/2025

CVE-2025-23353
Publication date:
24/09/2025
NVIDIA Megatron-LM for all platforms contains a vulnerability in the msdp preprocessing script where malicious data created by an attacker may cause an injection. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, Information disclosure, and data tampering.
Severity CVSS v4.0: Pending analysis
Last modification:
10/10/2025

CVE-2025-23354
Publication date:
24/09/2025
NVIDIA Megatron-LM for all platforms contains a vulnerability in the ensemble_classifer script where malicious data created by an attacker may cause an injection. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, Information disclosure, and data tampering.
Severity CVSS v4.0: Pending analysis
Last modification:
10/10/2025

CVE-2025-23339
Publication date:
24/09/2025
NVIDIA CUDA Toolkit for all platforms contains a vulnerability in cuobjdump where an attacker may cause a stack-based buffer overflow by getting the user to run cuobjdump on a malicious ELF file. A successful exploit of this vulnerability may lead to arbitrary code execution at the privilege level of the user running <br /> cuobjdump.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2025-23338
Publication date:
24/09/2025
NVIDIA CUDA Toolkit for all platforms contains a vulnerability in nvdisasm where a user may cause an out-of-bounds write by running nvdisasm on a malicious ELF file. A successful exploit of this vulnerability may lead to denial of service.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2025-23340
Publication date:
24/09/2025
NVIDIA CUDA Toolkit for all platforms contains a vulnerability in the nvdisasm binary where a user may cause an out-of-bounds read by passing a malformed ELF file to nvdisasm. A successful exploit of this vulnerability may lead to a partial denial of service.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2025-23346
Publication date:
24/09/2025
NVIDIA CUDA Toolkit contains a vulnerability in cuobjdump, where an unprivileged user can cause a NULL pointer dereference. A successful exploit of this vulnerability may lead to a limited denial of service.
Severity CVSS v4.0: Pending analysis
Last modification:
06/10/2025
Subscribe to Vulnerabilities