Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-62595
Publication date:
21/10/2025
Koa is expressive middleware for Node.js using ES2017 async functions. In versions 2.16.2 to before 2.16.3 and 3.0.1 to before 3.0.3, a bypass to CVE-2025-8129 was discovered in the Koa.js framework affecting its back redirect functionality. In certain circumstances, an attacker can manipulate the Referer header to force a user’s browser to navigate to an external, potentially malicious website. This occurs because the implementation incorrectly treats some specially crafted URLs as safe relative paths. Exploiting this vulnerability could allow attackers to perform phishing, social engineering, or other redirect-based attacks on users of affected applications. This issue has been patched in version 3.0.3.
Severity CVSS v4.0: Pending analysis
Last modification:
20/01/2026

CVE-2025-11534
Publication date:
21/10/2025
The affected Raisecom devices allow SSH sessions to be established without completing user authentication. This could allow attackers to gain shell access without valid credentials.
Severity CVSS v4.0: CRITICAL
Last modification:
21/10/2025

CVE-2025-60280
Publication date:
21/10/2025
Cross-Site Scripting (XSS) vulnerability in Bang Resto v1.0 could allow an attacker to inject malicious JavaScript code into the application's web pages. This vulnerability exists due to insufficient input sanitization or output encoding, allowing attacker-controlled input to be rendered directly in the browser. When exploited, an attacker can steal session cookies, redirect users to malicious sites, perform actions on behalf of the user, or deface the website. This can lead to user data compromise, loss of user trust, and a broader attack surface for more advanced exploitation techniques.
Severity CVSS v4.0: Pending analysis
Last modification:
31/10/2025

CVE-2025-61181
Publication date:
21/10/2025
daicuocms V1.3.13 contains an arbitrary file upload vulnerability in the image upload feature.
Severity CVSS v4.0: Pending analysis
Last modification:
23/10/2025

CVE-2025-61194
Publication date:
21/10/2025
daicuocms V1.3.13 contains a SQL injection vulnerability in the file library\think\db\Builder.php.
Severity CVSS v4.0: Pending analysis
Last modification:
23/10/2025

CVE-2025-60751
Publication date:
21/10/2025
GeographicLib 2.5 is vulnerable to Buffer Overflow in GeoConvert DMS::InternalDecode.
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2025

CVE-2025-61220
Publication date:
21/10/2025
The incomplete verification mechanism in the AutoBizLine com.mysecondline.app 1.2.91 allows attackers to log in as other users and gain unauthorized access to their personal information.
Severity CVSS v4.0: Pending analysis
Last modification:
05/12/2025

CVE-2025-62250
Publication date:
21/10/2025
Improper Authentication in Liferay Portal 7.4.0 through 7.4.3.132, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to send malicious data to the Liferay Portal 7.4.0 through 7.4.3.132, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions that will treat it as trusted data via unauthenticated cluster messages.
Severity CVSS v4.0: MEDIUM
Last modification:
12/12/2025

CVE-2025-12024
Publication date:
21/10/2025
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accidental usage.
Severity CVSS v4.0: Pending analysis
Last modification:
21/10/2025

CVE-2025-22166
Publication date:
21/10/2025
This High severity DoS (Denial of Service) vulnerability was introduced in version 2.0 of Confluence Data Center.<br /> <br /> This DoS (Denial of Service) vulnerability, with a CVSS Score of 8.3, allows an attacker to cause a resource to be unavailable for its intended users by temporarily or indefinitely disrupting services of a host connected to a network.<br /> <br /> Atlassian recommends that Confluence Data Center customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:<br /> Confluence Data Center and Server 8.5: Upgrade to a release greater than or equal to 8.5.25<br /> Confluence Data Center and Server 9.2: Upgrade to a release greater than or equal to 9.2.7<br /> Confluence Data Center and Server 10.0: Upgrade to a release greater than or equal to 10.0.2<br /> <br /> See the release notes ([https://confluence.atlassian.com/doc/confluence-release-notes-327.html]). You can download the latest version of Confluence Data Center from the download center ([https://www.atlassian.com/software/confluence/download-archives]).<br /> <br /> This vulnerability was reported via our Atlassian (Internal) program.
Severity CVSS v4.0: HIGH
Last modification:
05/12/2025

CVE-2025-60344
Publication date:
21/10/2025
An unauthenticated Local File Inclusion (LFI) vulnerability in D-Link DSR series routers allows remote attackers to retrieve sensitive configuration files in clear text. The exposed files contain administrative credentials, VPN settings, and other sensitive information, enabling full administrative access to the router. Affected Products include: DSR-150, DSR-150N, and DSR-250N v1.09B32_WW.
Severity CVSS v4.0: Pending analysis
Last modification:
21/10/2025

CVE-2025-60932
Publication date:
21/10/2025
Multiple stored cross-site scripting (XSS) vulnerabilities in the Current Goals function of HR Performance Solutions Performance Pro v3.19.17 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Goal Name, Goal Notes, Action Step Name, Action Step Description, Note Name, and Goal Description parameters. The patched version is PP-Release-6.3.2.0.
Severity CVSS v4.0: Pending analysis
Last modification:
21/10/2025
Subscribe to Vulnerabilities