Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-53537
Publication date:
23/07/2025
LibHTP is a security-aware parser for the HTTP protocol and its related bits and pieces. In versions 0.5.50 and below, there is a traffic-induced memory leak that can starve the process of memory, leading to loss of visibility. To workaround this issue, set `suricata.yaml app-layer.protocols.http.libhtp.default-config.lzma-enabled` to false. This issue is fixed in version 0.5.51.
Severity CVSS v4.0: Pending analysis
Last modification:
05/08/2025

CVE-2025-53942
Publication date:
23/07/2025
authentik is an open-source Identity Provider that emphasizes flexibility and versatility, with support for a wide set of protocols. In versions 2025.4.4 and earlier, as well as versions 2025.6.0-rc1 through 2025.6.3, deactivated users who registered through OAuth/SAML or linked their accounts to OAuth/SAML providers can still retain partial access to the system despite their accounts being deactivated. They end up in a half-authenticated state where they cannot access the API but crucially they can authorize applications if they know the URL of the application. To workaround this issue, developers can add an expression policy to the user login stage on the respective authentication flow with the expression of return request.context["pending_user"].is_active. This modification ensures that the return statement only activates the user login stage when the user is active. This issue is fixed in versions authentik 2025.4.4 and 2025.6.4.
Severity CVSS v4.0: HIGH
Last modification:
21/08/2025

CVE-2025-54371
Publication date:
23/07/2025
Rejected reason: This CVE is a duplicate of another CVE.
Severity CVSS v4.0: Pending analysis
Last modification:
23/07/2025

CVE-2025-8058
Publication date:
23/07/2025
The regcomp function in the GNU C library version from 2.4 to 2.41 is <br /> subject to a double free if some previous allocation fails. It can be <br /> accomplished either by a malloc failure or by using an interposed malloc<br /> that injects random malloc failures. The double free can allow buffer <br /> manipulation depending of how the regex is constructed. This issue <br /> affects all architectures and ABIs supported by the GNU C library.
Severity CVSS v4.0: MEDIUM
Last modification:
04/11/2025

CVE-2025-44109
Publication date:
23/07/2025
A URL redirection in Pinokio v3.6.23 allows attackers to redirect victim users to attacker-controlled pages.
Severity CVSS v4.0: Pending analysis
Last modification:
25/07/2025

CVE-2025-46686
Publication date:
23/07/2025
Redis through 8.0.3 allows memory consumption via a multi-bulk command composed of many bulks, sent by an authenticated user. This occurs because the server allocates memory for the command arguments of every bulk, even when the command is skipped because of insufficient permissions. NOTE: this is disputed by the Supplier because abuse of the commands network protocol is not a violation of the Redis Security Model.
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2025

CVE-2025-47187
Publication date:
23/07/2025
A vulnerability in the Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones through 6.4 SP4 (R6.4.0.4006), and the 6970 Conference Unit through 6.4 SP4 (R6.4.0.4006) or version V1 R0.1.0, could allow an unauthenticated attacker to perform a file upload attack due to missing authentication mechanisms. A successful exploit could allow an attacker to upload arbitrary WAV files, which may potentially exhaust the phone’s storage without affecting the phone&amp;#39;s availability or operation.
Severity CVSS v4.0: Pending analysis
Last modification:
29/07/2025

CVE-2025-50477
Publication date:
23/07/2025
A URL redirection in lbry-desktop v0.53.9 allows attackers to redirect victim users to attacker-controlled pages.
Severity CVSS v4.0: Pending analysis
Last modification:
25/07/2025

CVE-2025-4439
Publication date:
23/07/2025
An issue has been discovered in GitLab CE/EE affecting all versions from 15.10 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1 that could have allowed an authenticated user to perform cross-site scripting attacks when the instance is served through certain content delivery networks.
Severity CVSS v4.0: Pending analysis
Last modification:
08/08/2025

CVE-2025-4700
Publication date:
23/07/2025
An issue has been discovered in GitLab CE/EE affecting all versions from 15.10 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1 that, under specific circumstances, could have potentially allowed a successful attacker to trigger unintended content rendering leading to XSS.
Severity CVSS v4.0: Pending analysis
Last modification:
08/08/2025

CVE-2025-8069
Publication date:
23/07/2025
During the AWS Client VPN client installation on Windows devices, the install process references the C:\usr\local\windows-x86_64-openssl-localbuild\ssl directory location to fetch the OpenSSL configuration file. As a result, a non-admin user could place arbitrary code in the configuration file. If an admin user starts the AWS Client VPN client installation process, that code could be executed with root-level privileges. This issue does not affect Linux or Mac devices. <br /> <br /> We recommend users discontinue any new installations of AWS Client VPN on Windows prior to version 5.2.2.
Severity CVSS v4.0: HIGH
Last modification:
14/10/2025

CVE-2025-46171
Publication date:
23/07/2025
vBulletin 3.8.7 is vulnerable to a denial-of-service condition via the misc.php?do=buddylist endpoint. If an authenticated user has a sufficiently large buddy list, processing the list can consume excessive memory, exhausting system resources and crashing the forum.
Severity CVSS v4.0: Pending analysis
Last modification:
28/07/2025
Subscribe to Vulnerabilities