Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-55151
Publication date:
11/08/2025
Stirling-PDF is a locally hosted web application that performs various operations on PDF files. Prior to version 1.1.0, the "convert file to pdf" functionality (/api/v1/convert/file/pdf) uses LibreOffice's unoconvert tool for conversion, and SSRF vulnerabilities exist during the conversion process. This issue has been patched in version 1.1.0.
Severity CVSS v4.0: Pending analysis
Last modification:
15/08/2025

CVE-2025-54992
Publication date:
11/08/2025
OpenKilda is an open-source OpenFlow controller. Prior to version 1.164.0, an XML external entity (XXE) injection vulnerability was found in OpenKilda which in combination with GHSL-2025-024 allows unauthenticated attackers to exfiltrate information from the instance where the OpenKilda UI is running. This issue may lead to Information disclosure. This issue has been patched in version 1.164.0.
Severity CVSS v4.0: MEDIUM
Last modification:
12/08/2025

CVE-2025-55012
Publication date:
11/08/2025
Zed is a multiplayer code editor. Prior to version 0.197.3, in the Zed Agent Panel allowed for an AI agent to achieve Remote Code Execution (RCE) by bypassing user permission checks. An AI Agent could have exploited a permissions bypass vulnerability to create or modify a project-specific configuration file, leading to the execution of arbitrary commands on a victim's machine without the explicit approval that would otherwise be required. This vulnerability has been patched in version 0.197.3. A workaround for this issue involves either avoid sending prompts to the Agent Panel, or to limit the AI Agent's file system access.
Severity CVSS v4.0: HIGH
Last modification:
12/08/2025

CVE-2025-55150
Publication date:
11/08/2025
Stirling-PDF is a locally hosted web application that performs various operations on PDF files. Prior to version 1.1.0, when using the /api/v1/convert/html/pdf endpoint to convert HTML to PDF, the backend calls a third-party tool to process it and includes a sanitizer for security sanitization which can be bypassed and result in SSRF. This issue has been patched in version 1.1.0.
Severity CVSS v4.0: Pending analysis
Last modification:
15/08/2025

CVE-2025-25235
Publication date:
11/08/2025
Server-Side Request Forgery (SSRF) in Omnissa Secure Email Gateway (SEG) in SEG prior to 2.32 running on Windows and SEG prior to 2503 running on UAG allows routing of network traffic such as HTTP requests to internal networks.
Severity CVSS v4.0: Pending analysis
Last modification:
12/08/2025

CVE-2025-54878
Publication date:
11/08/2025
CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. A heap buffer overflow vulnerability exists in NASA CryptoLib version 1.4.0 and prior in the IV setup logic for telecommand frames. The problem arises from missing bounds checks when copying the Initialization Vector (IV) into a freshly allocated buffer. An attacker can supply a crafted TC frame that causes the library to write one byte past the end of the heap buffer, leading to heap corruption and undefined behaviour. An attacker supplying a malformed telecommand frame can corrupt heap memory. This leads to undefined behaviour, which could manifest itself as a crash (denial of service) or more severe exploitation. This issue has been patched in version 1.4.0.
Severity CVSS v4.0: Pending analysis
Last modification:
27/08/2025

CVE-2025-40920
Publication date:
11/08/2025
Catalyst::Authentication::Credential::HTTP versions 1.018 and earlier for Perl generate nonces using the Perl Data::UUID library.<br /> * Data::UUID does not use a strong cryptographic source for generating UUIDs.<br /> * Data::UUID returns v3 UUIDs, which are generated from known information and are unsuitable for security, as per RFC 9562.<br /> * The nonces should be generated from a strong cryptographic source, as per RFC 7616.
Severity CVSS v4.0: Pending analysis
Last modification:
17/01/2026

CVE-2024-32640
Publication date:
11/08/2025
MASA CMS is an Enterprise Content Management platform based on open source technology. Versions prior to 7.4.5, 7.3.12, and 7.2.7 contain a SQL injection vulnerability in the `processAsyncObject` method that can result in remote code execution. Versions 7.4.5, 7.3.12, and 7.2.7 contain a fix for the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
03/12/2025

CVE-2025-54463
Publication date:
11/08/2025
Mattermost Confluence Plugin version
Severity CVSS v4.0: Pending analysis
Last modification:
24/09/2025

CVE-2025-54478
Publication date:
11/08/2025
Mattermost Confluence Plugin version
Severity CVSS v4.0: Pending analysis
Last modification:
24/09/2025

CVE-2025-54525
Publication date:
11/08/2025
Mattermost Confluence Plugin version
Severity CVSS v4.0: Pending analysis
Last modification:
24/09/2025

CVE-2025-7677
Publication date:
11/08/2025
A denial-of-service (DoS) attack is possible if access to the local network is provided to unauthorized users. This is due to a buffer copy issue that may lead to a software crash. <br /> This issue affects all versions of ASPECT.
Severity CVSS v4.0: HIGH
Last modification:
08/09/2025
Subscribe to Vulnerabilities