Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-61719
Publication date:
01/10/2025
Rejected reason: Not used
Severity CVSS v4.0: Pending analysis
Last modification:
01/10/2025

CVE-2025-61720
Publication date:
01/10/2025
Rejected reason: Not used
Severity CVSS v4.0: Pending analysis
Last modification:
01/10/2025

CVE-2025-61721
Publication date:
01/10/2025
Rejected reason: Not used
Severity CVSS v4.0: Pending analysis
Last modification:
01/10/2025

CVE-2025-61722
Publication date:
01/10/2025
Rejected reason: Not used
Severity CVSS v4.0: Pending analysis
Last modification:
01/10/2025

CVE-2025-61714
Publication date:
01/10/2025
Rejected reason: Not used
Severity CVSS v4.0: Pending analysis
Last modification:
01/10/2025

CVE-2025-55191
Publication date:
30/09/2025
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions between 2.1.0 and 2.14.19, 3.2.0-rc1, 3.1.0-rc1 through 3.1.7, and 3.0.0-rc1 through 3.0.18 contain a race condition in the repository credentials handler that can cause the Argo CD server to panic and crash when concurrent operations are performed on the same repository URL. The vulnerability is located in numerous repository related handlers in the util/db/repository_secrets.go file. A valid API token with repositories resource permissions (create, update, or delete actions) is required to trigger the race condition. This vulnerability causes the entire Argo CD server to crash and become unavailable. Attackers can repeatedly and continuously trigger the race condition to maintain a denial-of-service state, disrupting all GitOps operations. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19.
Severity CVSS v4.0: Pending analysis
Last modification:
07/10/2025

CVE-2025-61792
Publication date:
30/09/2025
Quadient DS-700 iQ devices through 2025-09-30 might have a race condition during the quick clicking of (in order) the Question Mark button, the Help Button, the About button, and the Help Button, leading to a transition out of kiosk mode into local administrative access. NOTE: the reporter indicates that the "behavior was observed sporadically" during "limited time on the client site," making it not "possible to gain more information about the specific kiosk mode crashing issue," and the only conclusion was "there appears to be some form of race condition." Accordingly, there can be doubt that a reproducible cybersecurity vulnerability was identified; sporadic software crashes can also be caused by a hardware fault on a single device (for example, transient RAM errors). The reporter also describes a variety of other issues, including initial access via USB because of the absence of a "lock-pick resistant locking solution for the External Controller PC cabinet," which is not a cybersecurity vulnerability (section 4.1.5 of the CNA Operational Rules). Finally, it is unclear whether the device or OS configuration was inappropriate, given that the risks are typically limited to insider threats within the mail operations room of a large company.
Severity CVSS v4.0: Pending analysis
Last modification:
02/10/2025

CVE-2025-43826
Publication date:
30/09/2025
Stored cross-site scripting (XSS) vulnerabilities in Web Content translation in Liferay Portal 7.4.0 through 7.4.3.112, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allow remote attackers to inject arbitrary web script or HTML via any rich text field in a web content article.
Severity CVSS v4.0: MEDIUM
Last modification:
15/12/2025

CVE-2025-24525
Publication date:
30/09/2025
Keysight Ixia Vision has an issue with hardcoded cryptographic material <br /> which may allow an attacker to intercept or decrypt payloads sent to the<br /> device via API calls or user authentication if the end user does not <br /> replace the TLS certificate that shipped with the device. Remediation is<br /> available in Version 6.9.1, released on September 23, 2025.
Severity CVSS v4.0: HIGH
Last modification:
02/10/2025

CVE-2022-40285
Publication date:
30/09/2025
Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2024-13967. Reason: This record is a reservation duplicate of CVE-2024-13967. Notes: All CVE users should reference CVE-2024-13967 instead of this record. All references and descriptions in this record have been removed to prevent accidental usage.
Severity CVSS v4.0: Pending analysis
Last modification:
30/09/2025

CVE-2025-56392
Publication date:
30/09/2025
An Insecure Direct Object Reference (IDOR) in the /dashboard/notes endpoint of Syaqui Collegetivity v1.0.0 allows attackers to impersonate other users and perform arbitrary operations via a crafted POST request.
Severity CVSS v4.0: Pending analysis
Last modification:
15/10/2025

CVE-2025-36132
Publication date:
30/09/2025
IBM Planning Analytics Local 2.0.0 through 2.0.106 and 2.1.0 through 2.1.13 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Severity CVSS v4.0: Pending analysis
Last modification:
03/10/2025
Subscribe to Vulnerabilities