Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-62242
Publication date:
13/10/2025
Insecure Direct Object Reference (IDOR) vulnerability with account addresses in Liferay Portal 7.4.3.4 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92 allows remote authenticated users to from one account to view addresses from a different account via the _com_liferay_account_admin_web_internal_portlet_AccountEntriesAdminPortlet_addressId parameter.
Severity CVSS v4.0: MEDIUM
Last modification:
07/11/2025

CVE-2025-62241
Publication date:
13/10/2025
Insecure Direct Object Reference (IDOR) vulnerability with shipment addresses in Liferay DXP 2023.Q4.1 through 2023.Q4.5 allows remote authenticated users to from one virtual instance to view the shipment addresses of different virtual instance via the _com_liferay_commerce_order_web_internal_portlet_CommerceOrderPortlet_commerceOrderId parameter.
Severity CVSS v4.0: MEDIUM
Last modification:
12/11/2025

CVE-2025-58084
Publication date:
13/10/2025
Mattermost Desktop App versions
Severity CVSS v4.0: Pending analysis
Last modification:
29/10/2025

CVE-2025-62243
Publication date:
13/10/2025
Insecure direct object reference (IDOR) vulnerability in Publications in Liferay Portal 7.4.1 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92 allows remote authenticated attackers to view publication comments via the _com_liferay_change_tracking_web_portlet_PublicationsPortlet_value parameter.<br /> <br /> Publications comments in Liferay Portal 7.4.1 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92 does not properly check user permissions, which allows remote authenticated users to edit publication comments via crafted URLs.
Severity CVSS v4.0: MEDIUM
Last modification:
15/12/2025

CVE-2025-62170
Publication date:
13/10/2025
rAthena is an open-source cross-platform MMORPG server. A use-after-free vulnerability exists in the RODEX functionality of rAthena&amp;#39;s map-server in versions prior to commit af2f3ba. An unauthenticated attacker can exploit this vulnerability via a specific attacking scenario to cause a denial of service by crashing the map-server. This issue has been patched in commit af2f3ba. There are no known workarounds aside from manually applying the patch.
Severity CVSS v4.0: Pending analysis
Last modification:
20/10/2025

CVE-2025-61775
Publication date:
13/10/2025
Vickey is a Misskey-based microblogging platform. A vulnerability exists in Vickey prior to version 2025.10.0 where unexpired email confirmation links can be reused multiple times to send repeated confirmation emails to a verified email address. Under certain conditions, a verified email address could receive repeated confirmation messages if the verification link was accessed multiple times. This issue may result in unintended email traffic but does not expose user data. The issue was addressed in version 2025.10.0 by improving validation logic to ensure verification links behave as expected after completion.
Severity CVSS v4.0: MEDIUM
Last modification:
15/04/2026

CVE-2025-7707
Publication date:
13/10/2025
The llama_index library version 0.12.33 sets the NLTK data directory to a subdirectory of the codebase by default, which is world-writable in multi-user environments. This configuration allows local users to overwrite, delete, or corrupt NLTK data files, leading to potential denial of service, data tampering, or privilege escalation. The vulnerability arises from the use of a shared cache directory instead of a user-specific one, making it susceptible to local data tampering and denial of service.
Severity CVSS v4.0: Pending analysis
Last modification:
21/10/2025

CVE-2025-11695
Publication date:
13/10/2025
When tlsInsecure=False appears in a connection string, certificate validation is disabled.<br /> <br /> This vulnerability affects MongoDB Rust Driver versions prior to v3.2.5
Severity CVSS v4.0: Pending analysis
Last modification:
04/12/2025

CVE-2025-62244
Publication date:
13/10/2025
Insecure direct object reference (IDOR) vulnerability in Publications in Liferay Portal 7.3.1 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92, and 7.3 GA through update 36 allows remote authenticated attackers to view the edit page of a publication via the _com_liferay_change_tracking_web_portlet_PublicationsPortlet_ctCollectionId parameter.
Severity CVSS v4.0: MEDIUM
Last modification:
15/12/2025

CVE-2025-43991
Publication date:
13/10/2025
SupportAssist for Home PCs versions 4.8.2 and prior and SupportAssist for Business PCs versions 4.5.3 and prior, contain an UNIX Symbolic Link (Symlink) following vulnerability. A low privileged attacker with local access to the system could potentially exploit this vulnerability to delete arbitrary files only in that affected system.
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2025

CVE-2025-37729
Publication date:
13/10/2025
Improper neutralization of special elements used in a template engine in Elastic Cloud Enterprise (ECE) can lead to a malicious actor with Admin access exfiltrating sensitive information and issuing commands via a specially crafted string where Jinjava variables are evaluated.
Severity CVSS v4.0: Pending analysis
Last modification:
11/12/2025

CVE-2025-39965
Publication date:
13/10/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> xfrm: xfrm_alloc_spi shouldn&amp;#39;t use 0 as SPI<br /> <br /> x-&gt;id.spi == 0 means "no SPI assigned", but since commit<br /> 94f39804d891 ("xfrm: Duplicate SPI Handling"), we now create states<br /> and add them to the byspi list with this value.<br /> <br /> __xfrm_state_delete doesn&amp;#39;t remove those states from the byspi list,<br /> since they shouldn&amp;#39;t be there, and this shows up as a UAF the next<br /> time we go through the byspi list.
Severity CVSS v4.0: Pending analysis
Last modification:
26/02/2026
Subscribe to Vulnerabilities