Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-54607
Publication date:
06/08/2025
Authentication management vulnerability in the ArkWeb module.<br /> Impact: Successful exploitation of this vulnerability may affect service confidentiality.
Severity CVSS v4.0: Pending analysis
Last modification:
20/08/2025

CVE-2025-54608
Publication date:
06/08/2025
Vulnerability that allows setting screen rotation direction without permission verification in the screen management module.<br /> Impact: Successful exploitation of this vulnerability may cause device screen orientation to be arbitrarily set.
Severity CVSS v4.0: Pending analysis
Last modification:
20/08/2025

CVE-2025-54609
Publication date:
06/08/2025
Out-of-bounds access vulnerability in the audio codec module.<br /> Impact: Successful exploitation of this vulnerability may affect availability.
Severity CVSS v4.0: Pending analysis
Last modification:
12/08/2025

CVE-2025-54653
Publication date:
06/08/2025
Path traversal vulnerability in the virtualization file module. Successful exploitation of this vulnerability may affect the confidentiality of the virtualization file module.
Severity CVSS v4.0: Pending analysis
Last modification:
18/08/2025

CVE-2025-54655
Publication date:
06/08/2025
Race condition vulnerability in the virtualization base module. Successful exploitation of this vulnerability may affect the confidentiality and integrity of the virtualization graphics module.
Severity CVSS v4.0: Pending analysis
Last modification:
20/08/2025

CVE-2025-54652
Publication date:
06/08/2025
Path traversal vulnerability in the virtualization base module. Successful exploitation of this vulnerability may affect the confidentiality of the virtualization module.
Severity CVSS v4.0: Pending analysis
Last modification:
18/08/2025

CVE-2025-54883
Publication date:
06/08/2025
Vision UI is a collection of enterprise-grade, dependency-free modules for modern web projects. In versions 1.4.0 and below, the getSecureRandomInt function in security-kit versions prior to 3.5.0 (packaged in Vision-ui
Severity CVSS v4.0: CRITICAL
Last modification:
15/04/2026

CVE-2025-54884
Publication date:
06/08/2025
Vision UI is a collection of enterprise-grade, dependency-free modules for modern web projects. In versions 1.4.0 and below, the generateSecureId and getSecureRandomInt functions in security-kit versions prior to 3.5.0 (packaged in Vision UI 1.4.0 and below) are vulnerable to Denial of Service (DoS) attacks. The generateSecureId(length) function directly used the length parameter to size a Uint8Array buffer, allowing attackers to exhaust server memory through repeated requests for large IDs since the previous 1024 limit was insufficient. The getSecureRandomInt(min, max) function calculated buffer size based on the range between min and max, where large ranges caused excessive memory allocation and CPU-intensive rejection-sampling loops that could hang the thread. This issue is fixed in version 1.5.0.
Severity CVSS v4.0: HIGH
Last modification:
15/04/2026

CVE-2025-54801
Publication date:
06/08/2025
Fiber is an Express inspired web framework written in Go. In versions 2.52.8 and below, when using Fiber&amp;#39;s Ctx.BodyParser to parse form data containing a large numeric key that represents a slice index (e.g., test.18446744073704), the application crashes due to an out-of-bounds slice allocation in the underlying schema decoder. The root cause is that the decoder attempts to allocate a slice of length idx + 1 without validating whether the index is within a safe or reasonable range. If the idx is excessively large, this leads to an integer overflow or memory exhaustion, causing a panic or crash. This is fixed in version 2.52.9.
Severity CVSS v4.0: HIGH
Last modification:
23/09/2025

CVE-2025-54879
Publication date:
06/08/2025
Mastodon is a free, open-source social network server based on ActivityPub Mastodon which facilitates LDAP configuration for authentication. In versions 3.1.5 through 4.2.24, 4.3.0 through 4.3.11 and 4.4.0 through 4.4.3, Mastodon&amp;#39;s rate-limiting system has a critical configuration error where the email-based throttle for confirmation emails incorrectly checks the password reset path instead of the confirmation path, effectively disabling per-email limits for confirmation requests. This allows attackers to bypass rate limits by rotating IP addresses and send unlimited confirmation emails to any email address, as only a weak IP-based throttle (25 requests per 5 minutes) remains active. The vulnerability enables denial-of-service attacks that can overwhelm mail queues and facilitate user harassment through confirmation email spam. This is fixed in versions 4.2.24, 4.3.11 and 4.4.3.
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2025

CVE-2025-54869
Publication date:
06/08/2025
FPDI is a collection of PHP classes that facilitate reading pages from existing PDF documents and using them as templates in FPDF. In versions 2.6.2 and below, any application that uses FPDI to process user-supplied PDF files is at risk, causing a Denial of Service (DoS) vulnerability. An attacker can upload a small, malicious PDF file that will cause the server-side script to crash due to memory exhaustion. Repeated attacks can lead to sustained service unavailability. This issue is fixed in version 2.6.3.
Severity CVSS v4.0: MEDIUM
Last modification:
15/04/2026

CVE-2025-54872
Publication date:
06/08/2025
onion-site-template is a complete, scalable tor hidden service self-hosting sample. Versions which include commit 3196bd89 contain a baked-in tor image if the secrets were copied from an existing onion domain. A website could be compromised if a user shared the baked-in image, or if someone were able to acquire access to the user&amp;#39;s device outside of a containerized environment. This is fixed by commit bc9ba0fd.
Severity CVSS v4.0: HIGH
Last modification:
15/04/2026
Subscribe to Vulnerabilities