Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-21413
Publication date:
14/01/2025
Windows Telephony Service Remote Code Execution Vulnerability
Severity CVSS v4.0: Pending analysis
Last modification:
16/01/2025

CVE-2025-21417
Publication date:
14/01/2025
Windows Telephony Service Remote Code Execution Vulnerability
Severity CVSS v4.0: Pending analysis
Last modification:
16/01/2025

CVE-2025-21607
Publication date:
14/01/2025
Vyper is a Pythonic Smart Contract Language for the EVM. When the Vyper Compiler uses the precompiles EcRecover (0x1) and Identity (0x4), the success flag of the call is not checked. As a consequence an attacker can provide a specific amount of gas to make these calls fail but let the overall execution continue. Then the execution result can be incorrect. Based on EVM's rules, after the failed precompile the remaining code has only 1/64 of the pre-call-gas left (as 63/64 were forwarded and spent). Hence, only fairly simple executions can follow the failed precompile calls. Therefore, we found no significantly impacted real-world contracts. None the less an advisory has been made out of an abundance of caution. This issue is fixed in 0.4.1.
Severity CVSS v4.0: LOW
Last modification:
24/04/2025

CVE-2025-23025
Publication date:
14/01/2025
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. NOTE: The Realtime WYSIWYG Editor extension was **experimental**, and thus **not recommended**, in the versions affected by this vulnerability. It has become enabled by default, and thus recommended, starting with XWiki 16.9.0. A user with only **edit right** can join a realtime editing session where others, that where already there or that may join later, have **script** or **programming** access rights. This user can then insert **script rendering macros** that are executed for those users in the realtime session that have script or programming rights. The inserted scripts can be used to gain more access rights. This vulnerability has been patched in XWiki 15.10.2, 16.4.1 and 16.6.0-rc-1. Users are advised to upgrade. Users unable to upgrade may either disable the realtime WYSIWYG editing by disabling the ``xwiki-realtime`` CKEditor plugin from the WYSIWYG editor administration section or uninstall the Realtime WYSIWYG Editorextension (org.xwiki.platform:xwiki-platform-realtime-wysiwyg-ui).
Severity CVSS v4.0: Pending analysis
Last modification:
13/05/2025

CVE-2025-23051
Publication date:
14/01/2025
An authenticated parameter injection vulnerability exists in the web-based management interface of the AOS-8 and AOS-10 Operating Systems. Successful exploitation could allow an authenticated user to leverage parameter injection to overwrite arbitrary system files.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-23052
Publication date:
14/01/2025
Authenticated command injection vulnerability in the command line interface of a network management service. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands as a privileged user on the underlying operating system.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-21395
Publication date:
14/01/2025
Microsoft Access Remote Code Execution Vulnerability
Severity CVSS v4.0: Pending analysis
Last modification:
01/07/2025

CVE-2025-21402
Publication date:
14/01/2025
Microsoft Office OneNote Remote Code Execution Vulnerability
Severity CVSS v4.0: Pending analysis
Last modification:
27/01/2025

CVE-2025-21403
Publication date:
14/01/2025
On-Premises Data Gateway Information Disclosure Vulnerability
Severity CVSS v4.0: Pending analysis
Last modification:
27/01/2025

CVE-2025-21405
Publication date:
14/01/2025
Visual Studio Elevation of Privilege Vulnerability
Severity CVSS v4.0: Pending analysis
Last modification:
17/01/2025

CVE-2025-21409
Publication date:
14/01/2025
Windows Telephony Service Remote Code Execution Vulnerability
Severity CVSS v4.0: Pending analysis
Last modification:
16/01/2025

CVE-2025-21411
Publication date:
14/01/2025
Windows Telephony Service Remote Code Execution Vulnerability
Severity CVSS v4.0: Pending analysis
Last modification:
16/01/2025
Subscribe to Vulnerabilities