Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-59045
Publication date:
10/09/2025
Stalwart is a mail and collaboration server. Starting in version 0.12.0 and prior to version 0.13.3, a memory exhaustion vulnerability exists in Stalwart's CalDAV implementation that allows authenticated attackers to cause denial-of-service by triggering unbounded memory consumption through recurring event expansion. An authenticated attacker can crash the Stalwart server by creating recurring events with large payloads and triggering their expansion through CalDAV REPORT requests. A single malicious request expanding 300 events with 1000-character descriptions can consume up to 2 GB of memory. The vulnerability exists in the `ArchivedCalendarEventData.expand` function, which processes CalDAV `REPORT` requests with event expansion. When a client requests recurring events in their expanded form using the `` element, the server stores all expanded event instances in memory without enforcing size limits. Users should upgrade to Stalwart version 0.13.3 or later to receive a fix. If immediate upgrading is not possible, implement memory limits at the container/system level; monitor server memory usage for unusual spikes; consider rate limiting CalDAV REPORT requests; and restrict CalDAV access to trusted users only.
Severity CVSS v4.0: HIGH
Last modification:
11/09/2025

CVE-2025-58764
Publication date:
10/09/2025
Claude Code is an agentic coding tool. Due to an error in command parsing, versions prior to 1.0.105 were vulnerable to a bypass of the Claude Code confirmation prompt to trigger execution of an untrusted command. Reliably exploiting this requires the ability to add untrusted content into a Claude Code context window. Users on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates are advised to update to version 1.0.105 or the latest version.
Severity CVSS v4.0: HIGH
Last modification:
24/10/2025

CVE-2025-57569
Publication date:
10/09/2025
Tenda F3 V12.01.01.48_multi and after is vulnerable to Buffer Overflow via the portList parameter in /goform/setNAT.
Severity CVSS v4.0: Pending analysis
Last modification:
17/09/2025

CVE-2025-57571
Publication date:
10/09/2025
Tenda F3 V12.01.01.48_multi and after is vulnerable to Buffer Overflow. via the macFilterList parameter in goform/setNAT.
Severity CVSS v4.0: Pending analysis
Last modification:
17/09/2025

CVE-2025-57572
Publication date:
10/09/2025
Tenda F3 V12.01.01.48_multi and after is vulnerable to Buffer Overflow via the onlineList parameter in goform/setParentControl.
Severity CVSS v4.0: Pending analysis
Last modification:
17/09/2025

CVE-2025-57573
Publication date:
10/09/2025
Tenda F3 V12.01.01.48_multi and after is vulnerable to Buffer Overflow via the wifiTimeClose parameter in goform/setWifi.
Severity CVSS v4.0: Pending analysis
Last modification:
17/09/2025

CVE-2025-57570
Publication date:
10/09/2025
Tenda F3 V12.01.01.48_multi and after is vulnerable to Buffer Overflow via the QosList parameter in goform/setQoS.
Severity CVSS v4.0: Pending analysis
Last modification:
17/09/2025

CVE-2025-43938
Publication date:
10/09/2025
Dell PowerProtect Data Manager, version(s) 19.19 and 19.20, Hyper-V contain(s) a Plaintext Storage of a Password vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to gain unauthorized access with privileges of the compromised account.
Severity CVSS v4.0: Pending analysis
Last modification:
20/10/2025

CVE-2025-43884
Publication date:
10/09/2025
Dell PowerProtect Data Manager, version(s) 19.19 and 19.20, Hyper-V contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Command execution.
Severity CVSS v4.0: Pending analysis
Last modification:
17/09/2025

CVE-2025-43885
Publication date:
10/09/2025
Dell PowerProtect Data Manager, version(s) 19.19 and 19.20, Hyper-V contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Command execution.
Severity CVSS v4.0: Pending analysis
Last modification:
20/10/2025

CVE-2025-43886
Publication date:
10/09/2025
Dell PowerProtect Data Manager, version(s) 19.19 and 19.20, Hyper-V contain(s) a Path Traversal: '.../...//' vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Filesystem access for attacker.
Severity CVSS v4.0: Pending analysis
Last modification:
20/10/2025

CVE-2025-43887
Publication date:
10/09/2025
Dell PowerProtect Data Manager, version(s) 19.19 and 19.20, Hyper-V contain(s) an Incorrect Default Permissions vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges.
Severity CVSS v4.0: Pending analysis
Last modification:
20/10/2025
Subscribe to Vulnerabilities