Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-46390
Publication date:
06/08/2025
CWE-204: Observable Response Discrepancy
Severity CVSS v4.0: Pending analysis
Last modification:
06/08/2025

CVE-2025-46386
Publication date:
06/08/2025
CWE-639 Authorization Bypass Through User-Controlled Key
Severity CVSS v4.0: Pending analysis
Last modification:
06/08/2025

CVE-2025-22470
Publication date:
06/08/2025
CL4/6NX Plus and CL4/6NX-J Plus (Japan model) with the firmware versions prior to 1.15.5-r1 allow crafted dangerous files to be uploaded. An arbitrary Lua script may be executed on the system with the root privilege.
Severity CVSS v4.0: CRITICAL
Last modification:
06/08/2025

CVE-2025-6013
Publication date:
06/08/2025
Vault and Vault Enterprise’s (“Vault”) ldap auth method may not have correctly enforced MFA if username_as_alias was set to true and a user had multiple CNs that are equal but with leading or trailing spaces. Fixed in Vault Community Edition 1.20.2 and Vault Enterprise 1.20.2, 1.19.8, 1.18.13, and 1.16.24.
Severity CVSS v4.0: Pending analysis
Last modification:
06/08/2025

CVE-2025-7771
Publication date:
06/08/2025
ThrottleStop.sys, a legitimate driver, exposes two IOCTL interfaces that allow arbitrary read and write access to physical memory via the MmMapIoSpace function. This insecure implementation can be exploited by a malicious user-mode application to patch the running Windows kernel and invoke arbitrary kernel functions with ring-0 privileges. The vulnerability enables local attackers to execute arbitrary code in kernel context, resulting in privilege escalation and potential follow-on attacks, such as disabling security software or bypassing kernel-level protections. ThrottleStop.sys version 3.0.0.0 and possibly others are affected. Apply updates per vendor instructions.
Severity CVSS v4.0: HIGH
Last modification:
06/08/2025

CVE-2025-8620
Publication date:
06/08/2025
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 4.6.0. This makes it possible for unauthenticated attackers to extract donor names, emails, and donor id.
Severity CVSS v4.0: Pending analysis
Last modification:
06/08/2025

CVE-2025-22469
Publication date:
06/08/2025
OS command injection vulnerability exists in CL4/6NX Plus and CL4/6NX-J Plus (Japan model) with the firmware versions prior to 1.15.5-r1. An arbitrary OS command may be executed on the system with a certain non-administrative user privilege.
Severity CVSS v4.0: MEDIUM
Last modification:
06/08/2025

CVE-2025-8556
Publication date:
06/08/2025
A flaw was found in CIRCL's implementation of the FourQ elliptic curve. This vulnerability allows an attacker to compromise session security via low-order point injection and incorrect point validation during Diffie-Hellman key exchange.
Severity CVSS v4.0: Pending analysis
Last modification:
06/08/2025

CVE-2025-7202
Publication date:
06/08/2025
A Cross-Site Request Forgery (CSRF) in Elgato's Key Lights and related light products allows an attacker to host a malicious webpage that remotely controlles the victim's lights.
Severity CVSS v4.0: MEDIUM
Last modification:
06/08/2025

CVE-2025-27072
Publication date:
06/08/2025
Information disclosure while processing a packet at EAVB BE side with invalid header length.
Severity CVSS v4.0: Pending analysis
Last modification:
06/08/2025

CVE-2025-27073
Publication date:
06/08/2025
Transient DOS while creating NDP instance.
Severity CVSS v4.0: Pending analysis
Last modification:
06/08/2025

CVE-2025-27075
Publication date:
06/08/2025
Memory corruption while processing IOCTL command with larger buffer in Bluetooth Host.
Severity CVSS v4.0: Pending analysis
Last modification:
06/08/2025
Subscribe to Vulnerabilities