Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-11898
Publication date:
17/10/2025
Agentflow developed by Flowring has an Arbitrary File Reading vulnerability, allowing unauthenticated remote attackers to exploit Relative Path Traversal to download arbitrary system files.
Severity CVSS v4.0: HIGH
Last modification:
17/10/2025

CVE-2025-6893
Publication date:
17/10/2025
An Execution with Unnecessary Privileges vulnerability has been identified in Moxa’s network security appliances and routers. A flaw in broken access control has been identified in the /api/v1/setting/data endpoint of the affected device. This flaw allows a low-privileged authenticated user to call the API without the required permissions, thereby gaining the ability to access or modify system configuration data. Successful exploitation may lead to privilege escalation, allowing the attacker to access or modify sensitive system settings. While the overall impact is high, there is no loss of confidentiality or integrity within any subsequent systems.
Severity CVSS v4.0: CRITICAL
Last modification:
17/10/2025

CVE-2025-6894
Publication date:
17/10/2025
An Execution with Unnecessary Privileges vulnerability has been identified in Moxa’s network security appliances and routers. A flaw in the API authorization logic of the affected device allows an authenticated, low-privileged user to execute the administrative `ping` function, which is restricted to higher-privileged roles. This vulnerability enables the user to perform internal network reconnaissance, potentially discovering internal hosts or services that would otherwise be inaccessible. Repeated exploitation could lead to minor resource consumption. While the overall impact is limited, it may result in some loss of confidentiality and availability on the affected device. There is no impact on the integrity of the device, and the vulnerability does not affect any subsequent systems.
Severity CVSS v4.0: MEDIUM
Last modification:
17/10/2025

CVE-2025-6892
Publication date:
17/10/2025
An Incorrect Authorization vulnerability has been identified in Moxa’s network security appliances and routers. A flaw in the API authentication mechanism allows unauthorized access to protected API endpoints, including those intended for administrative functions. This vulnerability can be exploited after a legitimate user has logged in, as the system fails to properly validate session context or privilege boundaries. An attacker may leverage this flaw to perform unauthorized privileged operations. While successful exploitation can severely impact the confidentiality, integrity, and availability of the affected device itself, there is no loss of confidentiality or integrity within any subsequent systems.
Severity CVSS v4.0: HIGH
Last modification:
17/10/2025

CVE-2025-62504
Publication date:
16/10/2025
Envoy is an open source edge and service proxy. Envoy versions earlier than 1.36.2, 1.35.6, 1.34.10, and 1.33.12 contain a use-after-free vulnerability in the Lua filter. When a Lua script executing in the response phase rewrites a response body so that its size exceeds the configured per_connection_buffer_limit_bytes (default 1MB), Envoy generates a local reply whose headers override the original response headers, leaving dangling references and causing a crash. This results in denial of service. Updating to versions 1.36.2, 1.35.6, 1.34.10, or 1.33.12 fixes the issue. Increasing per_connection_buffer_limit_bytes (and for HTTP/2 the initial_stream_window_size) or increasing per_request_buffer_limit_bytes / request_body_buffer_limit can reduce the likelihood of triggering the condition but does not correct the underlying memory safety flaw.
Severity CVSS v4.0: Pending analysis
Last modification:
16/10/2025

CVE-2025-62506
Publication date:
16/10/2025
MinIO is a high-performance object storage system. In all versions prior to RELEASE.2025-10-15T17-29-55Z, a privilege escalation vulnerability allows service accounts and STS (Security Token Service) accounts with restricted session policies to bypass their inline policy restrictions when performing operations on their own account, specifically when creating new service accounts for the same user. The vulnerability exists in the IAM policy validation logic where the code incorrectly relied on the DenyOnly argument when validating session policies for restricted accounts. When a session policy is present, the system should validate that the action is allowed by the session policy, not just that it is not denied. An attacker with valid credentials for a restricted service or STS account can create a new service account for itself without policy restrictions, resulting in a new service account with full parent privileges instead of being restricted by the inline policy. This allows the attacker to access buckets and objects beyond their intended restrictions and modify, delete, or create objects outside their authorized scope. The vulnerability is fixed in version RELEASE.2025-10-15T17-29-55Z.
Severity CVSS v4.0: Pending analysis
Last modification:
16/10/2025

CVE-2025-11896
Publication date:
16/10/2025
In Xpdf 4.05 (and earlier), a PDF object loop in a CMap, via the "UseCMap" entry, leads to infinite recursion and a stack overflow.
Severity CVSS v4.0: LOW
Last modification:
16/10/2025

CVE-2024-42192
Publication date:
16/10/2025
HCL Traveler for Microsoft Outlook (HTMO) is susceptible to a credential leakage which could allow an attacker to access other computers or applications.
Severity CVSS v4.0: Pending analysis
Last modification:
16/10/2025

CVE-2025-11864
Publication date:
16/10/2025
A vulnerability was identified in NucleoidAI Nucleoid up to 0.7.10. The impacted element is the function extension.apply of the file /src/cluster.ts of the component Outbound Request Handler. Such manipulation of the argument https/ip/port/path/headers leads to server-side request forgery. The attack may be performed from remote.
Severity CVSS v4.0: MEDIUM
Last modification:
16/10/2025

CVE-2025-61554
Publication date:
16/10/2025
A divide-by-zero in VirtIO network device emulation in BitVisor from commit 108df6 (2020-05-20) to commit 480907 (2025-07-06) allows local attackers to cause a denial of service (host hypervisor crash) via a crafted PCI configuration space access.
Severity CVSS v4.0: Pending analysis
Last modification:
17/10/2025

CVE-2025-60358
Publication date:
16/10/2025
radare2 v.5.9.8 and before contains a memory leak in the function _load_relocations.
Severity CVSS v4.0: Pending analysis
Last modification:
17/10/2025

CVE-2025-62425
Publication date:
16/10/2025
MAS (Matrix Authentication Service) is a user management and authentication service for Matrix homeservers, written and maintained by Element. A logic flaw in matrix-authentication-service 0.20.0 through 1.4.0 allows an attacker with access to an authenticated MAS session to perform sensitive operations without entering the current password. These include changing the current password, adding or removing an e-mail address and deactivating the account. The vulnerability only affects instances which have the local password database feature enabled (passwords section in the config). Patched in matrix-authentication-service 1.4.1.
Severity CVSS v4.0: Pending analysis
Last modification:
16/10/2025
Subscribe to Vulnerabilities