Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-41410
Publication date:
16/10/2025
Mattermost versions 10.10.x
Severity CVSS v4.0: Pending analysis
Last modification:
21/10/2025

CVE-2025-0277
Publication date:
16/10/2025
HCL BigFix Mobile 3.3 and earlier are vulnerable to certain insecure directives within the Content Security Policy (CSP). An attacker could trick users into performing actions by not properly restricting the sources of scripts and other content.
Severity CVSS v4.0: Pending analysis
Last modification:
21/10/2025

CVE-2025-0276
Publication date:
16/10/2025
HCL BigFix Modern Client Management (MCM) 3.3 and earlier are vulnerable to certain insecure directives within the Content Security Policy (CSP). An attacker could trick users into performing actions by not properly restricting the sources of scripts and other content.
Severity CVSS v4.0: Pending analysis
Last modification:
21/10/2025

CVE-2025-55091
Publication date:
16/10/2025
In NetX Duo before 6.4.4, the networking support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _nx_ip_packet_receive() function when received an Ethernet with type set as IP but no IP data.
Severity CVSS v4.0: MEDIUM
Last modification:
21/10/2025

CVE-2025-41443
Publication date:
16/10/2025
Mattermost versions 10.5.x
Severity CVSS v4.0: Pending analysis
Last modification:
29/10/2025

CVE-2025-41019
Publication date:
16/10/2025
SQL injection in Sergestec's SISTICK v7.2. This vulnerability allows an attacker to retrieve, create, update, and delete databases through the 'id' parameter in '/index.php?view=ticket_detail'.
Severity CVSS v4.0: CRITICAL
Last modification:
16/10/2025

CVE-2025-41020
Publication date:
16/10/2025
Insecure direct object reference (IDOR) vulnerability in Sergestec's Exito v8.0. This vulnerability allows an attacker to access data belonging to other customers through the 'id' parameter in '/admin/ticket_a4.php'.
Severity CVSS v4.0: HIGH
Last modification:
21/10/2025

CVE-2025-41021
Publication date:
16/10/2025
Stored Cross-Site Scripting (XSS) in Sergestec's Exito v8.0, consisting of a stored XSS due to a lack of proper validation of user input by sending a POST request using the 'obs' parameter in '/admin/index.php?action=product_update'. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details.
Severity CVSS v4.0: MEDIUM
Last modification:
21/10/2025

CVE-2025-41018
Publication date:
16/10/2025
SQL injection in Sergestec's Exito v8.0. This vulnerability allows an attacker to retrieve, create, update, and delete databases through the 'cat' parameter in '/public.php'.
Severity CVSS v4.0: CRITICAL
Last modification:
21/10/2025

CVE-2025-55084
Publication date:
16/10/2025
In NetX Duo version before 6.4.4, the component of Eclipse Foundation ThreadX, there was an incorrect bound check in_nx_secure_tls_proc_clienthello_supported_versions_extension() in the extension version field.
Severity CVSS v4.0: MEDIUM
Last modification:
21/10/2025

CVE-2025-55090
Publication date:
16/10/2025
In NetX Duo before 6.4.4, the networking support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _nx_ipv4_packet_receive() function when received an Ethernet frame with less than 4 bytes of IP packet.
Severity CVSS v4.0: MEDIUM
Last modification:
21/10/2025

CVE-2025-62583
Publication date:
16/10/2025
Whale Browser before 4.33.325.17 allows an attacker to escape the iframe sandbox in a dual-tab environment.
Severity CVSS v4.0: Pending analysis
Last modification:
21/10/2025
Subscribe to Vulnerabilities