Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-59503
Publication date:
23/10/2025
Server-side request forgery (ssrf) in Azure Compute Gallery allows an unauthorized attacker to elevate privileges over a network.
Severity CVSS v4.0: Pending analysis
Last modification:
31/12/2025

CVE-2025-59500
Publication date:
23/10/2025
Improper access control in Azure Notification Service allows an authorized attacker to elevate privileges over a network.
Severity CVSS v4.0: Pending analysis
Last modification:
31/12/2025

CVE-2025-59273
Publication date:
23/10/2025
Improper access control in Azure Event Grid allows an unauthorized attacker to elevate privileges over a network.
Severity CVSS v4.0: Pending analysis
Last modification:
28/10/2025

CVE-2025-58078
Publication date:
23/10/2025
A relative path traversal vulnerability was discovered in Productivity Suite software version <br /> <br /> 4.4.1.19.<br /> <br /> <br /> The vulnerability allows an unauthenticated remote attacker to interact with the ProductivityService PLC simulator and write files with arbitrary data on the target machine.
Severity CVSS v4.0: HIGH
Last modification:
27/10/2025

CVE-2025-58456
Publication date:
23/10/2025
A relative path traversal vulnerability was discovered in Productivity Suite software version <br /> <br /> 4.4.1.19.<br /> <br /> The vulnerability allows an unauthenticated remote attacker to interact with the ProductivityService PLC simulator and read arbitrary files on the target machine.
Severity CVSS v4.0: HIGH
Last modification:
27/10/2025

CVE-2025-12100
Publication date:
23/10/2025
Incorrect Default Permissions vulnerability in MongoDB BI Connector ODBC driver allows Privilege Escalation.This issue affects BI Connector ODBC driver: from 1.0.0 through 1.4.6.
Severity CVSS v4.0: HIGH
Last modification:
27/10/2025

CVE-2025-62517
Publication date:
23/10/2025
Rollbar.js offers error tracking and logging from Javascript to Rollbar. In versions before 2.26.5 and from 3.0.0-alpha1 to before 3.0.0-beta5, there is a prototype pollution vulnerability in merge(). If application code calls rollbar.configure() with untrusted input, prototype pollution is possible. This issue has been fixed in versions 2.26.5 and 3.0.0-beta5. A workaround involves ensuring that values passed to rollbar.configure() do not contain untrusted input.
Severity CVSS v4.0: Pending analysis
Last modification:
27/10/2025

CVE-2025-55067
Publication date:
23/10/2025
The TLS4B ATG system is vulnerable to improper handling of Unix time values that exceed the 2038 epoch rollover. When the system clock reaches January 19, 2038, it resets to December 13, 1901, causing authentication failures and disrupting core system functionalities such as login access, history visibility, and leak detection termination. This vulnerability could allow an attacker to manipulate the system time to trigger a denial of service (DoS) condition, leading to administrative lockout, operational timer failures, and corrupted log entries.
Severity CVSS v4.0: HIGH
Last modification:
27/10/2025

CVE-2025-57848
Publication date:
23/10/2025
A container privilege escalation flaw was found in certain Container-native Virtualization images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.
Severity CVSS v4.0: Pending analysis
Last modification:
27/10/2025

CVE-2025-58428
Publication date:
23/10/2025
The TLS4B ATG system&amp;#39;s SOAP-based interface is vulnerable due to its accessibility through the web services handler. This vulnerability enables remote attackers with valid credentials to execute system-level commands on the underlying Linux system. This could allow the attacker to achieve remote command execution, full shell access, and potential lateral movement within the network.
Severity CVSS v4.0: CRITICAL
Last modification:
27/10/2025

CVE-2025-62236
Publication date:
23/10/2025
The Frontier Airlines website has a publicly available endpoint that validates if an email addresses is associated with an account. An unauthenticated, remote attacker could determine valid email addresses, possibly aiding in further attacks.
Severity CVSS v4.0: MEDIUM
Last modification:
31/12/2025

CVE-2025-54966
Publication date:
23/10/2025
An issue was discovered in BAE SOCET GXP before 4.6.0.2. Some endpoints on the SOCET GXP Job Status Service may return sensitive information in certain situations, including local file paths and SOCET GXP version information.
Severity CVSS v4.0: Pending analysis
Last modification:
28/10/2025
Subscribe to Vulnerabilities