Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-50698
Publication date:
24/12/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ASoC: da7219: Fix an error handling path in da7219_register_dai_clks()<br /> <br /> If clk_hw_register() fails, the corresponding clk should not be<br /> unregistered.<br /> <br /> To handle errors from loops, clean up partial iterations before doing the<br /> goto. So add a clk_hw_unregister().<br /> Then use a while (--i &gt;= 0) loop in the unwind section.
Severity CVSS v4.0: Pending analysis
Last modification:
29/12/2025

CVE-2022-50697
Publication date:
24/12/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mrp: introduce active flags to prevent UAF when applicant uninit<br /> <br /> The caller of del_timer_sync must prevent restarting of the timer, If<br /> we have no this synchronization, there is a small probability that the<br /> cancellation will not be successful.<br /> <br /> And syzbot report the fellowing crash:<br /> ==================================================================<br /> BUG: KASAN: use-after-free in hlist_add_head include/linux/list.h:929 [inline]<br /> BUG: KASAN: use-after-free in enqueue_timer+0x18/0xa4 kernel/time/timer.c:605<br /> Write at addr f9ff000024df6058 by task syz-fuzzer/2256<br /> Pointer tag: [f9], memory tag: [fe]<br /> <br /> CPU: 1 PID: 2256 Comm: syz-fuzzer Not tainted 6.1.0-rc5-syzkaller-00008-<br /> ge01d50cbd6ee #0<br /> Hardware name: linux,dummy-virt (DT)<br /> Call trace:<br /> dump_backtrace.part.0+0xe0/0xf0 arch/arm64/kernel/stacktrace.c:156<br /> dump_backtrace arch/arm64/kernel/stacktrace.c:162 [inline]<br /> show_stack+0x18/0x40 arch/arm64/kernel/stacktrace.c:163<br /> __dump_stack lib/dump_stack.c:88 [inline]<br /> dump_stack_lvl+0x68/0x84 lib/dump_stack.c:106<br /> print_address_description mm/kasan/report.c:284 [inline]<br /> print_report+0x1a8/0x4a0 mm/kasan/report.c:395<br /> kasan_report+0x94/0xb4 mm/kasan/report.c:495<br /> __do_kernel_fault+0x164/0x1e0 arch/arm64/mm/fault.c:320<br /> do_bad_area arch/arm64/mm/fault.c:473 [inline]<br /> do_tag_check_fault+0x78/0x8c arch/arm64/mm/fault.c:749<br /> do_mem_abort+0x44/0x94 arch/arm64/mm/fault.c:825<br /> el1_abort+0x40/0x60 arch/arm64/kernel/entry-common.c:367<br /> el1h_64_sync_handler+0xd8/0xe4 arch/arm64/kernel/entry-common.c:427<br /> el1h_64_sync+0x64/0x68 arch/arm64/kernel/entry.S:576<br /> hlist_add_head include/linux/list.h:929 [inline]<br /> enqueue_timer+0x18/0xa4 kernel/time/timer.c:605<br /> mod_timer+0x14/0x20 kernel/time/timer.c:1161<br /> mrp_periodic_timer_arm net/802/mrp.c:614 [inline]<br /> mrp_periodic_timer+0xa0/0xc0 net/802/mrp.c:627<br /> call_timer_fn.constprop.0+0x24/0x80 kernel/time/timer.c:1474<br /> expire_timers+0x98/0xc4 kernel/time/timer.c:1519<br /> <br /> To fix it, we can introduce a new active flags to make sure the timer will<br /> not restart.
Severity CVSS v4.0: Pending analysis
Last modification:
29/12/2025

CVE-2025-64641
Publication date:
24/12/2025
Mattermost versions 11.1.x
Severity CVSS v4.0: Pending analysis
Last modification:
31/12/2025

CVE-2025-13767
Publication date:
24/12/2025
Mattermost versions 11.1.x
Severity CVSS v4.0: Pending analysis
Last modification:
31/12/2025

CVE-2025-57840
Publication date:
24/12/2025
ADB(Android Debug Bridge) is affected by type privilege bypass, successful exploitation of this vulnerability may affect service availability.
Severity CVSS v4.0: Pending analysis
Last modification:
29/12/2025

CVE-2024-58335
Publication date:
24/12/2025
OpenXRechnungToolbox through 2024-10-05-3.0.0 before 6c50e89 allows XXE because the disallow-doctype-decl feature is not enabled in visualization/VisualizerImpl.java.
Severity CVSS v4.0: Pending analysis
Last modification:
29/12/2025

CVE-2025-13407
Publication date:
24/12/2025
The Gravity Forms WordPress plugin before 2.9.23.1 does not properly prevent users from uploading dangerous files through its chunked upload functionality, allowing attackers to upload PHP files to affected sites and achieve Remote Code Execution, granted they can discover or enumerate the upload path.
Severity CVSS v4.0: Pending analysis
Last modification:
29/12/2025

CVE-2025-66445
Publication date:
24/12/2025
Authorization bypass vulnerability in Hitachi Infrastructure Analytics Advisor (Data Center Analytics component) and Hitachi Ops Center Analyzer (Hitachi Ops Center Analyzer detail view component).This issue affects Hitachi Infrastructure Analytics Advisor:; Hitachi Ops Center Analyzer: from 10.0.0-00 before 11.0.5-00.
Severity CVSS v4.0: Pending analysis
Last modification:
29/12/2025

CVE-2025-66444
Publication date:
24/12/2025
Cross-site Scripting vulnerability in Hitachi Infrastructure Analytics Advisor (Data Center Analytics component) and Hitachi Ops Center Analyzer (Hitachi Ops Center Analyzer detail view component).This issue affects Hitachi Infrastructure Analytics Advisor:; Hitachi Ops Center Analyzer: from 10.0.0-00 before 11.0.5-00.
Severity CVSS v4.0: Pending analysis
Last modification:
29/12/2025

CVE-2025-13773
Publication date:
24/12/2025
The Print Invoice &amp; Delivery Notes for WooCommerce plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.8.0 via the &amp;#39;WooCommerce_Delivery_Notes::update&amp;#39; function. This is due to missing capability check in the &amp;#39;WooCommerce_Delivery_Notes::update&amp;#39; function, PHP enabled in Dompdf, and missing escape in the &amp;#39;template.php&amp;#39; file. This makes it possible for unauthenticated attackers to execute code on the server.
Severity CVSS v4.0: Pending analysis
Last modification:
29/12/2025

CVE-2025-68688
Publication date:
24/12/2025
Rejected reason: Not used
Severity CVSS v4.0: Pending analysis
Last modification:
24/12/2025

CVE-2025-68689
Publication date:
24/12/2025
Rejected reason: Not used
Severity CVSS v4.0: Pending analysis
Last modification:
24/12/2025
Subscribe to Vulnerabilities