Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-6211
Publication date:
10/07/2025
A vulnerability in the DocugamiReader class of the run-llama/llama_index repository, up to version 0.12.28, involves the use of MD5 hashing to generate IDs for document chunks. This approach leads to hash collisions when structurally distinct chunks contain identical text, resulting in one chunk overwriting another. This can cause loss of semantically or legally important document content, breakage of parent-child chunk hierarchies, and inaccurate or hallucinated responses in AI outputs. The issue is resolved in version 0.3.1.
Severity CVSS v4.0: Pending analysis
Last modification:
10/07/2025

CVE-2025-5037
Publication date:
10/07/2025
A maliciously crafted RFA file, when parsed through Autodesk Revit, can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process.
Severity CVSS v4.0: Pending analysis
Last modification:
10/07/2025

CVE-2025-5040
Publication date:
10/07/2025
A maliciously crafted RTE file, when parsed through Autodesk Revit, can force a Heap-Based Overflow vulnerability. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process.
Severity CVSS v4.0: Pending analysis
Last modification:
10/07/2025

CVE-2025-32990
Publication date:
10/07/2025
A heap-buffer-overflow (off-by-one) flaw was found in the GnuTLS software in the template parsing logic within the certtool utility. When it reads certain settings from a template file, it allows an attacker to cause an out-of-bounds (OOB) NULL pointer write, resulting in memory corruption and a denial-of-service (DoS) that could potentially crash the system.
Severity CVSS v4.0: Pending analysis
Last modification:
10/07/2025

CVE-2024-7650
Publication date:
10/07/2025
Improper Control of Generation of Code (&amp;#39;Code Injection&amp;#39;) vulnerability in OpenText™ Directory Services allows Remote Code Inclusion. The<br /> vulnerability could allow access to the system via script injection.This issue affects Directory Services: 23.4.
Severity CVSS v4.0: MEDIUM
Last modification:
10/07/2025

CVE-2025-4972
Publication date:
10/07/2025
An issue has been discovered in GitLab EE affecting all versions from 18.0 before 18.0.4 and 18.1 before 18.1.2 that could have allowed authenticated users with invitation privileges to bypass group-level user invitation restrictions by manipulating group invitation functionality.
Severity CVSS v4.0: Pending analysis
Last modification:
10/07/2025

CVE-2025-5022
Publication date:
10/07/2025
Weak Password Requirements vulnerability in Mitsubishi Electric Corporation photovoltaic system monitor “EcoGuideTAB” PV-DR004J all versions and PV-DR004JA all versions allows an attacker within the Wi-Fi communication range between the units of the product (measurement unit and display unit) to derive the password from the SSID. However, the product is not affected by this vulnerability when it remains unused for a certain period of time (default: 5 minutes) and enters the power-saving mode with the display unit&amp;#39;s LCD screen turned off. The affected products discontinued in 2015, support ended in 2020.
Severity CVSS v4.0: Pending analysis
Last modification:
10/07/2025

CVE-2025-5023
Publication date:
10/07/2025
Use of Hard-coded Credentials vulnerability in Mitsubishi Electric Corporation photovoltaic system monitor “EcoGuideTAB” PV-DR004J all versions and PV-DR004JA all versions allows an attacker within the Wi-Fi communication range between the units of the product (measurement unit and display unit) to disclose information such as generated power and electricity sold back to the grid stored in the product, tamper with or destroy stored or configured information in the product, or cause a Denial-of-Service (DoS) condition on the product, by using hardcoded user ID and password common to the product series obtained by exploiting CVE-2025-5022. However, the product is not affected by this vulnerability when it remains unused for a certain period of time (default: 5 minutes) and enters the power-saving mode with the display unit&amp;#39;s LCD screen turned off. The affected products discontinued in 2015, support ended in 2020.
Severity CVSS v4.0: Pending analysis
Last modification:
10/07/2025

CVE-2025-6168
Publication date:
10/07/2025
An issue has been discovered in GitLab EE affecting all versions from 18.0 before 18.0.4 and 18.1 before 18.1.2 that could have allowed authenticated maintainers to bypass group-level user invitation restrictions by sending crafted API requests.
Severity CVSS v4.0: Pending analysis
Last modification:
10/07/2025

CVE-2025-6948
Publication date:
10/07/2025
An issue has been discovered in GitLab CE/EE affecting all versions from 17.11 before 17.11.6, 18.0 before 18.0.4, and 18.1 before 18.1.2 that, under certain conditions, could have allowed a successful attacker to execute actions on behalf of users by injecting malicious content.
Severity CVSS v4.0: Pending analysis
Last modification:
10/07/2025

CVE-2025-38342
Publication date:
10/07/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> software node: Correct a OOB check in software_node_get_reference_args()<br /> <br /> software_node_get_reference_args() wants to get @index-th element, so<br /> the property value requires at least &amp;#39;(index + 1) * sizeof(*ref)&amp;#39; bytes<br /> but that can not be guaranteed by current OOB check, and may cause OOB<br /> for malformed property.<br /> <br /> Fix by using as OOB check &amp;#39;((index + 1) * sizeof(*ref) &gt; prop-&gt;length)&amp;#39;.
Severity CVSS v4.0: Pending analysis
Last modification:
10/07/2025

CVE-2025-38343
Publication date:
10/07/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: mt76: mt7996: drop fragments with multicast or broadcast RA<br /> <br /> IEEE 802.11 fragmentation can only be applied to unicast frames.<br /> Therefore, drop fragments with multicast or broadcast RA. This patch<br /> addresses vulnerabilities such as CVE-2020-26145.
Severity CVSS v4.0: Pending analysis
Last modification:
10/07/2025
Subscribe to Vulnerabilities