Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-68737
Publication date:
24/12/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> arm64/pageattr: Propagate return value from __change_memory_common<br /> <br /> The rodata=on security measure requires that any code path which does<br /> vmalloc -&gt; set_memory_ro/set_memory_rox must protect the linear map alias<br /> too. Therefore, if such a call fails, we must abort set_memory_* and caller<br /> must take appropriate action; currently we are suppressing the error, and<br /> there is a real chance of such an error arising post commit a166563e7ec3<br /> ("arm64: mm: support large block mapping when rodata=full"). Therefore,<br /> propagate any error to the caller.
Severity CVSS v4.0: Pending analysis
Last modification:
29/12/2025

CVE-2025-68738
Publication date:
24/12/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: mt76: mt7996: fix null pointer deref in mt7996_conf_tx()<br /> <br /> If a link does not have an assigned channel yet, mt7996_vif_link returns<br /> NULL. We still need to store the updated queue settings in that case, and<br /> apply them later.<br /> Move the location of the queue params to within struct mt7996_vif_link.
Severity CVSS v4.0: Pending analysis
Last modification:
29/12/2025

CVE-2025-68739
Publication date:
24/12/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> PM / devfreq: hisi: Fix potential UAF in OPP handling<br /> <br /> Ensure all required data is acquired before calling dev_pm_opp_put(opp)<br /> to maintain correct resource acquisition and release order.
Severity CVSS v4.0: Pending analysis
Last modification:
29/12/2025

CVE-2025-68740
Publication date:
24/12/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ima: Handle error code returned by ima_filter_rule_match()<br /> <br /> In ima_match_rules(), if ima_filter_rule_match() returns -ENOENT due to<br /> the rule being NULL, the function incorrectly skips the &amp;#39;if (!rc)&amp;#39; check<br /> and sets &amp;#39;result = true&amp;#39;. The LSM rule is considered a match, causing<br /> extra files to be measured by IMA.<br /> <br /> This issue can be reproduced in the following scenario:<br /> After unloading the SELinux policy module via &amp;#39;semodule -d&amp;#39;, if an IMA<br /> measurement is triggered before ima_lsm_rules is updated,<br /> in ima_match_rules(), the first call to ima_filter_rule_match() returns<br /> -ESTALE. This causes the code to enter the &amp;#39;if (rc == -ESTALE &amp;&amp;<br /> !rule_reinitialized)&amp;#39; block, perform ima_lsm_copy_rule() and retry. In<br /> ima_lsm_copy_rule(), since the SELinux module has been removed, the rule<br /> becomes NULL, and the second call to ima_filter_rule_match() returns<br /> -ENOENT. This bypasses the &amp;#39;if (!rc)&amp;#39; check and results in a false match.<br /> <br /> Call trace:<br /> selinux_audit_rule_match+0x310/0x3b8<br /> security_audit_rule_match+0x60/0xa0<br /> ima_match_rules+0x2e4/0x4a0<br /> ima_match_policy+0x9c/0x1e8<br /> ima_get_action+0x48/0x60<br /> process_measurement+0xf8/0xa98<br /> ima_bprm_check+0x98/0xd8<br /> security_bprm_check+0x5c/0x78<br /> search_binary_handler+0x6c/0x318<br /> exec_binprm+0x58/0x1b8<br /> bprm_execve+0xb8/0x130<br /> do_execveat_common.isra.0+0x1a8/0x258<br /> __arm64_sys_execve+0x48/0x68<br /> invoke_syscall+0x50/0x128<br /> el0_svc_common.constprop.0+0xc8/0xf0<br /> do_el0_svc+0x24/0x38<br /> el0_svc+0x44/0x200<br /> el0t_64_sync_handler+0x100/0x130<br /> el0t_64_sync+0x3c8/0x3d0<br /> <br /> Fix this by changing &amp;#39;if (!rc)&amp;#39; to &amp;#39;if (rc
Severity CVSS v4.0: Pending analysis
Last modification:
19/01/2026

CVE-2025-68605
Publication date:
24/12/2025
Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in PickPlugins Post Grid and Gutenberg Blocks post-grid allows Stored XSS.This issue affects Post Grid and Gutenberg Blocks: from n/a through
Severity CVSS v4.0: Pending analysis
Last modification:
20/01/2026

CVE-2025-68606
Publication date:
24/12/2025
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WPXPO PostX ultimate-post allows Retrieve Embedded Sensitive Data.This issue affects PostX: from n/a through
Severity CVSS v4.0: Pending analysis
Last modification:
20/01/2026

CVE-2025-68608
Publication date:
24/12/2025
Missing Authorization vulnerability in DeluxeThemes Userpro userpro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Userpro: from n/a through
Severity CVSS v4.0: Pending analysis
Last modification:
20/01/2026

CVE-2025-68596
Publication date:
24/12/2025
Missing Authorization vulnerability in Bit Apps Bit Assist bit-assist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Bit Assist: from n/a through
Severity CVSS v4.0: Pending analysis
Last modification:
20/01/2026

CVE-2025-68597
Publication date:
24/12/2025
Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in BlueGlass Interactive AG Jobs for WordPress job-postings allows Stored XSS.This issue affects Jobs for WordPress: from n/a through
Severity CVSS v4.0: Pending analysis
Last modification:
20/01/2026

CVE-2025-68598
Publication date:
24/12/2025
Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in LiveComposer Page Builder: Live Composer live-composer-page-builder allows Stored XSS.This issue affects Page Builder: Live Composer: from n/a through
Severity CVSS v4.0: Pending analysis
Last modification:
20/01/2026

CVE-2025-68599
Publication date:
24/12/2025
Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in Embeds For YouTube Plugin Support YouTube Embed youtube-embed allows Stored XSS.This issue affects YouTube Embed: from n/a through
Severity CVSS v4.0: Pending analysis
Last modification:
20/01/2026

CVE-2025-68600
Publication date:
24/12/2025
Server-Side Request Forgery (SSRF) vulnerability in Yannick Lefebvre Link Library link-library allows Server Side Request Forgery.This issue affects Link Library: from n/a through
Severity CVSS v4.0: Pending analysis
Last modification:
20/01/2026
Subscribe to Vulnerabilities