Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-45301
Publication date:
12/11/2025
Mintty is a terminal emulator for Cygwin, MSYS, and WSL. In versions 2.3.6 through 3.7.4, several escape sequences can cause the mintty process to access a file in a specific path. It is triggered by simply printing them out on bash. An attacker can specify an arbitrary network path, negotiate an ntlm hash out of the victim's machine to an attacker controlled remote host. An attacker can use password cracking tools or NetNTLMv2 hashes to Pass the Hash. Version 3.7.5 fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-65001
Publication date:
12/11/2025
Fujitsu fbiosdrv.sys before 2.5.0.0 allows an attacker to potentially affect system confidentiality, integrity, and availability.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-65002
Publication date:
12/11/2025
Fujitsu / Fsas Technologies iRMC S6 on M5 before 1.37S mishandles Redfish/WebUI access if the length of a username is exactly 16 characters.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-63811
Publication date:
12/11/2025
An issue was discovered in dvsekhvalnov jose2go 1.5.0 thru 1.7.0 allowing an attacker to cause a Denial-of-Service (DoS) via crafted JSON Web Encryption (JWE) token with an exceptionally high compression ratio.
Severity CVSS v4.0: Pending analysis
Last modification:
31/12/2025

CVE-2025-60645
Publication date:
12/11/2025
A Cross-Site Request Forgery (CSRF) in xxl-api v1.3.0 allows attackers to arbitrarily add users to the management module via a crafted GET request.
Severity CVSS v4.0: Pending analysis
Last modification:
03/12/2025

CVE-2025-20379
Publication date:
12/11/2025
In Splunk Enterprise versions below 10.0.1, 9.4.5, 9.3.7, and 9.2.9 and Splunk Cloud Platform versions below 9.3.2411.116, 9.3.2408.124, 10.0.2503.5 and 10.1.2507.1, a low-privileged user that does not hold the “admin“ or “power“ Splunk roles could run a saved search with a risky command using the permissions of a higher-privileged user to bypass the SPL safeguards for risky commands. They could bypass these safeguards on the “/services/streams/search“ endpoint through its “q“ parameter by circumventing endpoint restrictions using character encoding in the REST path. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will.
Severity CVSS v4.0: Pending analysis
Last modification:
03/12/2025

CVE-2025-25236
Publication date:
12/11/2025
Omnissa Workspace ONE UEM contains an observable response discrepancy vulnerability. A malicious actor may be able to enumerate sensitive information such as tenant ID and user accounts that could facilitate brute-force, password-spraying or credential-stuffing attacks.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-20378
Publication date:
12/11/2025
In Splunk Enterprise versions below 10.0.1, 9.4.5, 9.3.7, 9.2.9, and Splunk Cloud Platform versions below 10.0.2503.5, 9.3.2411.111, and 9.3.2408.121, an unauthenticated attacker could craft a malicious URL using the `return_to` parameter of the Splunk Web login endpoint. When an authenticated user visits the malicious URL, it could cause an unvalidated redirect to an external malicious site. To be successful, the attacker has to trick the victim into initiating a request from their browser. The unauthenticated attacker should not be able to exploit the vulnerability at will.
Severity CVSS v4.0: Pending analysis
Last modification:
03/12/2025

CVE-2025-63419
Publication date:
12/11/2025
Cross Site Scripting (XSS) vulnerability in CrushFTP 11.3.6_48. The Web-Based Server has a feature where users can share files, the feature reflects the filename to an emailbody field with no sanitations leading to HTML Injection.
Severity CVSS v4.0: Pending analysis
Last modification:
31/12/2025

CVE-2025-59491
Publication date:
12/11/2025
Cross Site Scripting vulnerability in CentralSquare Community Development 19.5.7 via form fields.
Severity CVSS v4.0: Pending analysis
Last modification:
31/12/2025

CVE-2025-59088
Publication date:
12/11/2025
If kdcproxy receives a request for a realm which does not have server addresses defined in its configuration, by default, it will query SRV records in the DNS zone matching the requested realm name. This creates a server-side request forgery vulnerability, since an attacker could send a request for a realm matching a DNS zone where they created SRV records pointing to arbitrary ports and hostnames (which may resolve to loopback or internal IP addresses). This vulnerability can be exploited to probe internal network topology and firewall rules, perform port scanning, and exfiltrate data. Deployments where<br /> the "use_dns" setting is explicitly set to false are not affected.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-59089
Publication date:
12/11/2025
If an attacker causes kdcproxy to connect to an attacker-controlled KDC server (e.g. through server-side request forgery), they can exploit the fact that kdcproxy does not enforce bounds on TCP response length to conduct a denial-of-service attack. While receiving the KDC&amp;#39;s response, kdcproxy copies the entire buffered stream into a new<br /> buffer on each recv() call, even when the transfer is incomplete, causing excessive memory allocation and CPU usage. Additionally, kdcproxy accepts incoming response chunks as long as the received data length is not exactly equal to the length indicated in the response<br /> header, even when individual chunks or the total buffer exceed the maximum length of a Kerberos message. This allows an attacker to send unbounded data until the connection timeout is reached (approximately 12 seconds), exhausting server memory or CPU resources. Multiple concurrent requests can cause accept queue overflow, denying service to legitimate clients.
Severity CVSS v4.0: Pending analysis
Last modification:
20/04/2026
Subscribe to Vulnerabilities