Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-53874
Publication date:
15/12/2025
GOM Player 2.3.90.5360 contains a buffer overflow vulnerability in the equalizer preset name input field that allows attackers to crash the application. Attackers can overwrite the preset name with 260 'A' characters to trigger a buffer overflow and cause application instability.
Severity CVSS v4.0: MEDIUM
Last modification:
15/12/2025

CVE-2023-36338
Publication date:
15/12/2025
Inventory Management System 1 was discovered to contain a SQL injection vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
15/12/2025

CVE-2023-38913
Publication date:
15/12/2025
SQL injection vulnerability in anirbandutta9 NEWS-BUZZ v.1.0 allows a remote attacker to execute arbitrary code via a crafted script.
Severity CVSS v4.0: Pending analysis
Last modification:
15/12/2025

CVE-2025-67809
Publication date:
15/12/2025
An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A hardcoded Flickr API key and secret are present in the publicly accessible Flickr Zimlet used by Zimbra Collaboration. Because these credentials are embedded directly in the Zimlet, any unauthorized party could retrieve them and misuse the Flickr integration. An attacker with access to the exposed credentials could impersonate the legitimate application and initiate valid Flickr OAuth flows. If a user is tricked into approving such a request, the attacker could gain access to the user s Flickr data. The hardcoded credentials have since been removed from the Zimlet code, and the associated key has been revoked.
Severity CVSS v4.0: Pending analysis
Last modification:
15/12/2025

CVE-2025-55703
Publication date:
15/12/2025
An error-based SQL injection vulnerability exists in the Sunbird Power IQ 9.2.0 API. The vulnerability is due to an outdated API endpoint that applied arrays without proper input validation. This can allow attackers to manipulate SQL queries. This has been addressed in Power IQ version 9.2.1, where the API call code was updated to ensure safe handling of input values.
Severity CVSS v4.0: Pending analysis
Last modification:
15/12/2025

CVE-2025-36360
Publication date:
15/12/2025
IBM UCD - IBM UrbanCode Deploy 7.1 through 7.1.2.27, 7.2 through 7.2.3.20, and 7.3 through 7.3.2.15 and IBM UCD - IBM DevOps Deploy 8.0 through 8.0.1.10, and 8.1 through 8.1.2.3 is susceptible to a race condition in http-session client-IP binding enforcement which may allow a session to be briefly reused from a new IP address before it is invalidated, potentially enabling unauthorized access under certain network conditions.
Severity CVSS v4.0: Pending analysis
Last modification:
15/12/2025

CVE-2025-14148
Publication date:
15/12/2025
IBM UCD - IBM DevOps Deploy 8.1 through 8.1.2.3 could allow an authenticated user with LLM integration configuration privileges to recover a previously saved LLM API Token.
Severity CVSS v4.0: Pending analysis
Last modification:
15/12/2025

CVE-2025-14503
Publication date:
15/12/2025
An overly-permissive IAM trust policy in the Harmonix on AWS framework may allow authenticated users to escalate privileges via role assumption. The sample code for the EKS environment provisioning role is configured to trust the account root principal, which may enable any account principal with sts:AssumeRole permissions to assume the role with administrative privileges. <br /> <br /> We recommend customers upgrade to Harmonix on AWS v0.4.2 or later if you have deployed the framework using versions v0.3.0 through v0.4.1.
Severity CVSS v4.0: HIGH
Last modification:
15/12/2025

CVE-2025-12035
Publication date:
15/12/2025
An integer overflow condition exists in Bluetooth Host stack, within the bt_br_acl_recv routine a critical path for processing inbound BR/EDR L2CAP traffic.
Severity CVSS v4.0: Pending analysis
Last modification:
15/12/2025

CVE-2025-13489
Publication date:
15/12/2025
IBM UCD - IBM DevOps Deploy 8.1 through 8.1.2.3 Deploy transmits data in clear text that could allow an attacker to obtain sensitive information using man in the middle techniques.
Severity CVSS v4.0: Pending analysis
Last modification:
15/12/2025

CVE-2025-65176
Publication date:
15/12/2025
An issue was discovered in Dynatrace OneAgent before 1.325.47. When attempting to access a remote network share from a machine where OneAgent is installed and receiving a "STATUS_LOGON_FAILURE" error, the agent will retrieve every user token on the machine and repeatedly attempt to access the network share while impersonating them. The exploitation of this vulnerability can allow an unprivileged attacker with access to the affected system to perform NTLM relay attacks.
Severity CVSS v4.0: Pending analysis
Last modification:
15/12/2025

CVE-2025-65213
Publication date:
15/12/2025
MooreThreads torch_musa through all versions contains an unsafe deserialization vulnerability in torch_musa.utils.compare_tool. The compare_for_single_op() and nan_inf_track_for_single_op() functions use pickle.load() on user-controlled file paths without validation, allowing arbitrary code execution. An attacker can craft a malicious pickle file that executes arbitrary Python code when loaded, enabling remote code execution with the privileges of the victim process.
Severity CVSS v4.0: Pending analysis
Last modification:
15/12/2025
Subscribe to Vulnerabilities