Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-38616
Publication date:
22/08/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tls: handle data disappearing from under the TLS ULP<br /> <br /> TLS expects that it owns the receive queue of the TCP socket.<br /> This cannot be guaranteed in case the reader of the TCP socket<br /> entered before the TLS ULP was installed, or uses some non-standard<br /> read API (eg. zerocopy ones). Replace the WARN_ON() and a buggy<br /> early exit (which leaves anchor pointing to a freed skb) with real<br /> error handling. Wipe the parsing state and tell the reader to retry.<br /> <br /> We already reload the anchor every time we (re)acquire the socket lock,<br /> so the only condition we need to avoid is an out of bounds read<br /> (not having enough bytes in the socket for previously parsed record len).<br /> <br /> If some data was read from under TLS but there&amp;#39;s enough in the queue<br /> we&amp;#39;ll reload and decrypt what is most likely not a valid TLS record.<br /> Leading to some undefined behavior from TLS perspective (corrupting<br /> a stream? missing an alert? missing an attack?) but no kernel crash<br /> should take place.
Severity CVSS v4.0: Pending analysis
Last modification:
26/11/2025

CVE-2025-38617
Publication date:
22/08/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/packet: fix a race in packet_set_ring() and packet_notifier()<br /> <br /> When packet_set_ring() releases po-&gt;bind_lock, another thread can<br /> run packet_notifier() and process an NETDEV_UP event.<br /> <br /> This race and the fix are both similar to that of commit 15fe076edea7<br /> ("net/packet: fix a race in packet_bind() and packet_notifier()").<br /> <br /> There too the packet_notifier NETDEV_UP event managed to run while a<br /> po-&gt;bind_lock critical section had to be temporarily released. And<br /> the fix was similarly to temporarily set po-&gt;num to zero to keep<br /> the socket unhooked until the lock is retaken.<br /> <br /> The po-&gt;bind_lock in packet_set_ring and packet_notifier precede the<br /> introduction of git history.
Severity CVSS v4.0: Pending analysis
Last modification:
18/03/2026

CVE-2025-50691
Publication date:
22/08/2025
MCSManager 10.5.3 daemon process runs as a root account by default, and its sensitive data (including tokens and terminal content) is stored in the data directory, readable by all users. Other users on the system can read the daemon&amp;#39;s key and use it to log in, leading to privilege escalation.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2024-58239
Publication date:
22/08/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tls: stop recv() if initial process_rx_list gave us non-DATA<br /> <br /> If we have a non-DATA record on the rx_list and another record of the<br /> same type still on the queue, we will end up merging them:<br /> - process_rx_list copies the non-DATA record<br /> - we start the loop and process the first available record since it&amp;#39;s<br /> of the same type<br /> - we break out of the loop since the record was not DATA<br /> <br /> Just check the record type and jump to the end in case process_rx_list<br /> did some work.
Severity CVSS v4.0: Pending analysis
Last modification:
26/11/2025

CVE-2024-56179
Publication date:
22/08/2025
In MindManager Windows versions prior to 24.1.150, attackers could potentially write to unexpected directories in victims&amp;#39; machines via directory traversal if victims opened file attachments located in malicious mmap files.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2009-10006
Publication date:
22/08/2025
UFO: Alien Invasion versions up to and including 2.2.1 contain a buffer overflow vulnerability in its built-in IRC client component. When the client connects to an IRC server and receives a crafted numeric reply (specifically a 001 message), the application fails to properly validate the length of the response string. This results in a stack-based buffer overflow, which may corrupt control flow structures and allow arbitrary code execution. The vulnerability is triggered during automatic IRC connection handling and does not require user interaction beyond launching the game.
Severity CVSS v4.0: CRITICAL
Last modification:
15/04/2026

CVE-2025-9331
Publication date:
22/08/2025
The Spacious theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the &amp;#39;welcome_notice_import_handler&amp;#39; function in all versions up to, and including, 1.9.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to import demo data into the site.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-9259
Publication date:
22/08/2025
WebITR developed by Uniong has an Arbitrary File Reading vulnerability, allowing remote attackers with regular privileges to exploit Absolute Path Traversal to download arbitrary system files.
Severity CVSS v4.0: HIGH
Last modification:
06/11/2025

CVE-2025-9258
Publication date:
22/08/2025
WebITR developed by Uniong has an Arbitrary File Reading vulnerability, allowing remote attackers with regular privileges to exploit Absolute Path Traversal to download arbitrary system files.
Severity CVSS v4.0: HIGH
Last modification:
06/11/2025

CVE-2025-9257
Publication date:
22/08/2025
WebITR developed by Uniong has an Arbitrary File Reading vulnerability, allowing remote attackers with regular privileges to exploit Absolute Path Traversal to download arbitrary system files.
Severity CVSS v4.0: HIGH
Last modification:
06/11/2025

CVE-2025-9256
Publication date:
22/08/2025
WebITR developed by Uniong has an Arbitrary File Reading vulnerability, allowing remote attackers with regular privileges to exploit Absolute Path Traversal to download arbitrary system files.
Severity CVSS v4.0: HIGH
Last modification:
06/11/2025

CVE-2025-9255
Publication date:
22/08/2025
WebITR developed by Uniong has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read database contents.
Severity CVSS v4.0: HIGH
Last modification:
06/11/2025
Subscribe to Vulnerabilities