Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-64164
Publication date:
06/11/2025
Dataease is an open source data visualization analysis tool. In versions 2.10.14 and below, DataEase did not properly filter when establishing JDBC connections to Oracle, resulting in a risk of JNDI injection (Java Naming and Directory Interface injection). This issue is fixed in version 2.10.15.
Severity CVSS v4.0: HIGH
Last modification:
07/11/2025

CVE-2025-64171
Publication date:
06/11/2025
MARIN3R is a lightweight, CRD based envoy control plane for kubernetes. In versions 0.13.3 and below, there is a cross-namespace secret access vulnerability in the project's DiscoveryServiceCertificate which allows users to bypass RBAC and access secrets in unauthorized namespaces. This issue is fixed in version 0.13.4.
Severity CVSS v4.0: HIGH
Last modification:
06/11/2025

CVE-2025-64163
Publication date:
06/11/2025
DataEase is an open source data visualization analysis tool. In versions 2.10.14 and below, the vendor added a blacklist to filter ldap:// and ldaps://. However, omission of protection for the dns:// protocol results in an SSRF vulnerability. This issue is fixed in version 2.10.15.
Severity CVSS v4.0: HIGH
Last modification:
07/11/2025

CVE-2025-64114
Publication date:
06/11/2025
ClipBucket v5 is an open source video sharing platform. Versions 5.5.2 - #151 and below allow authenticated administrators with plugin management privileges to execute arbitrary SQL commands against the database through its ClipBucket Custom Fields plugin. The vulnerabilities require the Custom Fields plugin to be installed and accessible, and can only be exploited by users with administrative access to the plugin interface. This issue is fixed in version 5.5.2 - #.
Severity CVSS v4.0: Pending analysis
Last modification:
10/11/2025

CVE-2025-62596
Publication date:
06/11/2025
Youki is a container runtime written in Rust. In versions 0.5.6 and below, youki’s apparmor handling performs insufficiently strict write-target validation, and when combined with path substitution during pathname resolution, can allow writes to unintended procfs locations. While resolving a path component-by-component, a shared-mount race can substitute intermediate components and redirect the final target. This issue is fixed in version 0.5.7.
Severity CVSS v4.0: HIGH
Last modification:
10/11/2025

CVE-2025-62161
Publication date:
06/11/2025
Youki is a container runtime written in Rust. In versions 0.5.6 and below, the initial validation of the source /dev/null is insufficient, allowing container escape when youki utilizes bind mounting the container's /dev/null as a file mask. This issue is fixed in version 0.5.7.
Severity CVSS v4.0: HIGH
Last modification:
10/11/2025

CVE-2025-55278
Publication date:
05/11/2025
Improper authentication in the API authentication middleware of HCL DevOps Loop allows authentication tokens to be accepted without proper validation of their expiration and cryptographic signature. As a result, an attacker could potentially use expired or tampered tokens to gain unauthorized access to sensitive resources and perform actions with elevated privileges.
Severity CVSS v4.0: Pending analysis
Last modification:
06/11/2025

CVE-2025-12779
Publication date:
05/11/2025
Improper handling of the authentication token in the Amazon WorkSpaces client for Linux, versions 2023.0 through 2024.8, may expose the authentication token for DCV-based WorkSpaces to other local users on the same client machine. Under certain circumstances, a local user may be able to extract another local user&amp;#39;s authentication token from the shared client machine and access their WorkSpace.<br /> <br /> To mitigate this issue, users should upgrade to the Amazon WorkSpaces client for Linux version 2025.0 or later.
Severity CVSS v4.0: HIGH
Last modification:
10/11/2025

CVE-2025-63585
Publication date:
05/11/2025
OSSN (Open Source Social Network) 8.6 is vulnerable to SQL Injection in /action/rtcomments/status via the timestamp parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
09/01/2026

CVE-2025-60784
Publication date:
05/11/2025
A vulnerability in the XiaozhangBang Voluntary Like System V8.8 allows remote attackers to manipulate the zhekou parameter in the /topfirst.php Pay module, enabling unauthorized discounts. By sending a crafted HTTP POST request with zhekou set to an abnormally low value, an attacker can purchase votes at a reduced cost. Furthermore, by modifying the zid parameter, attackers can influence purchases made by other users, amplifying the impact. This issue stems from insufficient server-side validation of these parameters, potentially leading to economic loss and unfair manipulation of vote counts.
Severity CVSS v4.0: Pending analysis
Last modification:
09/01/2026

CVE-2025-63334
Publication date:
05/11/2025
PocketVJ CP PocketVJ-CP-v3 pvj version 3.9.1 contains an unauthenticated remote code execution vulnerability in the submit_opacity.php component. The application fails to sanitize user input in the opacityValue POST parameter before passing it to a shell command, allowing remote attackers to execute arbitrary commands with root privileges on the underlying system.
Severity CVSS v4.0: Pending analysis
Last modification:
09/01/2026

CVE-2025-10853
Publication date:
05/11/2025
A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WSO2 products due to improper output encoding. By tampering with specific parameters, a malicious actor can inject arbitrary JavaScript into the response, leading to reflected XSS.<br /> <br /> Successful exploitation could result in UI manipulation, redirection to malicious websites, or data theft from the browser. However, session-related sensitive cookies are protected with the httpOnly flag, which mitigates the risk of session hijacking.
Severity CVSS v4.0: Pending analysis
Last modification:
13/11/2025
Subscribe to Vulnerabilities