Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-64114

Publication date:

06/11/2025

ClipBucket v5 is an open source video sharing platform. Versions 5.5.2 - #151 and below allow authenticated administrators with plugin management privileges to execute arbitrary SQL commands against the database through its ClipBucket Custom Fields plugin. The vulnerabilities require the Custom Fields plugin to be installed and accessible, and can only be exploited by users with administrative access to the plugin interface. This issue is fixed in version 5.5.2 - #.

Severity CVSS v4.0: Pending analysis

Last modification:

10/11/2025

CVE-2025-62596

Publication date:

06/11/2025

Youki is a container runtime written in Rust. In versions 0.5.6 and below, youki’s apparmor handling performs insufficiently strict write-target validation, and when combined with path substitution during pathname resolution, can allow writes to unintended procfs locations. While resolving a path component-by-component, a shared-mount race can substitute intermediate components and redirect the final target. This issue is fixed in version 0.5.7.

Severity CVSS v4.0: HIGH

Last modification:

10/11/2025

CVE-2025-62161

Publication date:

06/11/2025

Youki is a container runtime written in Rust. In versions 0.5.6 and below, the initial validation of the source /dev/null is insufficient, allowing container escape when youki utilizes bind mounting the container&#39;s /dev/null as a file mask. This issue is fixed in version 0.5.7.

Severity CVSS v4.0: HIGH

Last modification:

10/11/2025

CVE-2025-55278

Publication date:

05/11/2025

Improper authentication in the API authentication middleware of HCL DevOps Loop allows authentication tokens to be accepted without proper validation of their expiration and cryptographic signature. As a result, an attacker could potentially use expired or tampered tokens to gain unauthorized access to sensitive resources and perform actions with elevated privileges.

Severity CVSS v4.0: Pending analysis

Last modification:

15/04/2026

CVE-2025-12779

Publication date:

05/11/2025

Improper handling of the authentication token in the Amazon WorkSpaces client for Linux, versions 2023.0 through 2024.8, may expose the authentication token for DCV-based WorkSpaces to other local users on the same client machine. Under certain circumstances, a local user may be able to extract another local user&#39;s authentication token from the shared client machine and access their WorkSpace.<br /> <br /> To mitigate this issue, users should upgrade to the Amazon WorkSpaces client for Linux version 2025.0 or later.

Severity CVSS v4.0: HIGH

Last modification:

15/04/2026

CVE-2025-63585

Publication date:

05/11/2025

OSSN (Open Source Social Network) 8.6 is vulnerable to SQL Injection in /action/rtcomments/status via the timestamp parameter.

Severity CVSS v4.0: Pending analysis

Last modification:

09/01/2026

CVE-2025-60784

Publication date:

05/11/2025

A vulnerability in the XiaozhangBang Voluntary Like System V8.8 allows remote attackers to manipulate the zhekou parameter in the /topfirst.php Pay module, enabling unauthorized discounts. By sending a crafted HTTP POST request with zhekou set to an abnormally low value, an attacker can purchase votes at a reduced cost. Furthermore, by modifying the zid parameter, attackers can influence purchases made by other users, amplifying the impact. This issue stems from insufficient server-side validation of these parameters, potentially leading to economic loss and unfair manipulation of vote counts.

Severity CVSS v4.0: Pending analysis

Last modification:

09/01/2026

CVE-2025-63334

Publication date:

05/11/2025

PocketVJ CP PocketVJ-CP-v3 pvj version 3.9.1 contains an unauthenticated remote code execution vulnerability in the submit_opacity.php component. The application fails to sanitize user input in the opacityValue POST parameter before passing it to a shell command, allowing remote attackers to execute arbitrary commands with root privileges on the underlying system.

Severity CVSS v4.0: Pending analysis

Last modification:

09/01/2026

CVE-2025-10853

Publication date:

05/11/2025

A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WSO2 products due to improper output encoding. By tampering with specific parameters, a malicious actor can inject arbitrary JavaScript into the response, leading to reflected XSS.<br /> <br /> Successful exploitation could result in UI manipulation, redirection to malicious websites, or data theft from the browser. However, session-related sensitive cookies are protected with the httpOnly flag, which mitigates the risk of session hijacking.

Severity CVSS v4.0: Pending analysis

Last modification:

13/11/2025

CVE-2025-63418

Publication date:

05/11/2025

A DOM-based Cross-Site Scripting (XSS) vulnerability in the SelfBest platform 2023.3 allows attackers to execute arbitrary JavaScript in the context of a logged-in user&#39;s session by injecting payloads via the browser&#39;s developer console. The vulnerability arises from the application&#39;s client-side code being susceptible to direct DOM manipulation without adequate sanitization or a Content Security Policy (CSP), potentially leading to account takeover and data theft.

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2025

CVE-2025-63417

Publication date:

05/11/2025

A Stored Cross-Site Scripting (XSS) vulnerability in the chat functionality of the SelfBest platform 2023.3 allows authenticated attackers to inject arbitrary web scripts or HTML via the chat message input field. This malicious content is stored and then executed in the context of other users&#39; browsers when they view the malicious message, potentially leading to session hijacking, account takeover, or other client-side attacks.

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2025

CVE-2025-63416

Publication date:

05/11/2025

** exclusively-hosted-service ** A Stored Cross-Site Scripting (XSS) vulnerability in the chat functionality of the SelfBest platform 2023.3 allows authenticated low-privileged attackers to execute arbitrary JavaScript in the context of other users&#39; sessions. This can be exploited to access administrative data and functions, leading to privilege escalation and full compromise of sensitive user data, as demonstrated by the ability to fetch and exfiltrate the contents of the /admin/users endpoint.

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2025

Subscribe to Vulnerabilities