Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-64435
Publication date:
07/11/2025
KubeVirt is a virtual machine management add-on for Kubernetes. Prior to 1.7.0-beta.0, a logic flaw in the virt-controller allows an attacker to disrupt the control over a running VMI by creating a pod with the same labels as the legitimate virt-launcher pod associated with the VMI. This can mislead the virt-controller into associating the fake pod with the VMI, resulting in incorrect status updates and potentially causing a DoS (Denial-of-Service). This vulnerability is fixed in 1.7.0-beta.0.
Severity CVSS v4.0: Pending analysis
Last modification:
25/11/2025

CVE-2025-37736
Publication date:
07/11/2025
Improper Authorization in Elastic Cloud Enterprise can lead to Privilege Escalation where the built-in readonly user can call APIs that should not be allowed. The list of APIs that are affected by this issue is:<br /> <br /> <br /> <br /> <br /> <br /> post:/platform/configuration/security/service-accounts<br /> delete:/platform/configuration/security/service-accounts/{user_id}<br /> patch:/platform/configuration/security/service-accounts/{user_id}<br /> post:/platform/configuration/security/service-accounts/{user_id}/keys<br /> delete:/platform/configuration/security/service-accounts/{user_id}/keys/{api_key_id}<br /> patch:/user<br /> post:/users<br /> post:/users/auth/keys<br /> delete:/users/auth/keys<br /> delete:/users/auth/keys/_all<br /> delete:/users/auth/keys/{api_key_id}<br /> delete:/users/{user_id}/auth/keys<br /> delete:/users/{user_id}/auth/keys/{api_key_id}<br /> delete:/users/{user_name}<br /> patch:/users/{user_name}
Severity CVSS v4.0: Pending analysis
Last modification:
11/12/2025

CVE-2025-60574
Publication date:
07/11/2025
A Local File Inclusion (LFI) vulnerability has been identified in tQuadra CMS 4.2.1117. The issue exists in the "/styles/" path, which fails to properly sanitize user-supplied input. An attacker can exploit this by sending a crafted GET request to retrieve arbitrary files from the underlying system.
Severity CVSS v4.0: Pending analysis
Last modification:
11/12/2025

CVE-2025-63420
Publication date:
07/11/2025
CrushFTP11 before 11.3.7_57 is vulnerable to stored HTML injection in the CrushFTP Admin Panel (Reports / "Who Created Folder"), enabling persistent HTML execution in admin sessions.
Severity CVSS v4.0: Pending analysis
Last modification:
05/02/2026

CVE-2025-12418
Publication date:
07/11/2025
Potential Denial of Service issue in all supported versions of Revenera InstallShield version 2025 R1, 2024 R2, 2023 R2, and prior. When e.g., a local administrator performs an uninstall, a symlink may get followed on removal of a user writeable configuration directory and induce a Denial of Service as a result. The issue is resolved through the hotfixes InstallShield2025R1-CVE-2025-12418-SecurityPatch, InstallShield2024R2-CVE-2025-12418-SecurityPatch, and InstallShield2023R2-CVE-2025-12418-SecurityPatch.
Severity CVSS v4.0: MEDIUM
Last modification:
12/11/2025

CVE-2020-36870
Publication date:
07/11/2025
Various Ruijie Gateway EG and NBR models firmware versions 11.1(6)B9P1
Severity CVSS v4.0: CRITICAL
Last modification:
20/11/2025

CVE-2025-64481
Publication date:
07/11/2025
Datasette is an open source multi-tool for exploring and publishing data. In versions 0.65.1 and below and 1.0a0 through 1.0a19, deployed instances of Datasette include an open redirect vulnerability. Hits to the path //example.com/foo/bar/ (the trailing slash is required) will redirect the user to https://example.com/foo/bar. This problem has been patched in both Datasette 0.65.2 and 1.0a21. To workaround this issue, if Datasette is running behind a proxy, that proxy could be configured to replace // with / in incoming request URLs.
Severity CVSS v4.0: LOW
Last modification:
26/12/2025

CVE-2025-64439
Publication date:
07/11/2025
LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). In versions 2.1.2 and below, the JsonPlusSerializer (used as the default serialization protocol for all checkpointing) contains a Remote Code Execution (RCE) vulnerability when deserializing payloads saved in the "json" serialization mode. By default, the serializer attempts to use "msgpack" for serialization. However, prior to version 3.0 of the checkpointer library, if illegal Unicode surrogate values caused serialization to fail, it would fall back to using the "json" mode. This issue is fixed in version 3.0.0.
Severity CVSS v4.0: HIGH
Last modification:
12/11/2025

CVE-2025-63543
Publication date:
07/11/2025
TechStore 1.0 is vulnerable to Cross Site Scripting (XSS) in the /search_results endpoint via the q parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
21/11/2025

CVE-2025-63544
Publication date:
07/11/2025
TechStore 1.0 is vulnerable to Cross Site Scripting (XSS) in /order_notes via the id parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
21/11/2025

CVE-2025-64442
Publication date:
07/11/2025
HumHub is an Open Source Enterprise Social Network. Versions below 1.17.4 have a XSS vulnerability in the Meta-Search feature which allows malicious input to be executed in search previews. This issue is fixed in version 1.17.4.
Severity CVSS v4.0: HIGH
Last modification:
26/11/2025

CVE-2025-12896
Publication date:
07/11/2025
Improper resource management in firmware of some Solidigm DC Products may allow an attacker with local or physical access to gain un-authorized access to a locked storage device.
Severity CVSS v4.0: Pending analysis
Last modification:
12/11/2025
Subscribe to Vulnerabilities