Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-34167
Publication date:
02/01/2026
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure.
Severity CVSS v4.0: Pending analysis
Last modification:
02/01/2026

CVE-2025-34168
Publication date:
02/01/2026
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure.
Severity CVSS v4.0: Pending analysis
Last modification:
02/01/2026

CVE-2025-34169
Publication date:
02/01/2026
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure.
Severity CVSS v4.0: Pending analysis
Last modification:
02/01/2026

CVE-2025-34170
Publication date:
02/01/2026
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure.
Severity CVSS v4.0: Pending analysis
Last modification:
02/01/2026

CVE-2025-34213
Publication date:
02/01/2026
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure.
Severity CVSS v4.0: Pending analysis
Last modification:
02/01/2026

CVE-2025-34171
Publication date:
02/01/2026
CasaOS versions up to and including 0.4.15 expose multiple unauthenticated endpoints that allow remote attackers to retrieve sensitive configuration files and system debug information. The /v1/users/image endpoint can be abused with a user-controlled path parameter to access files under /var/lib/casaos/1/, which reveals installed applications and configuration details. Additionally, /v1/sys/debug discloses host operating system, kernel, hardware, and storage information. The endpoints also return distinct error messages, enabling file existence enumeration of arbitrary paths on the underlying host filesystem. This information disclosure can be used for reconnaissance and to facilitate targeted follow-up attacks against services deployed on the host.
Severity CVSS v4.0: MEDIUM
Last modification:
08/01/2026

CVE-2025-15439
Publication date:
02/01/2026
A vulnerability was identified in Daptin 0.10.3. Affected by this vulnerability is the function goqu.L of the file server/resource/resource_aggregate.go of the component Aggregate API. The manipulation of the argument column/group/order leads to sql injection. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: MEDIUM
Last modification:
08/01/2026

CVE-2025-69284
Publication date:
02/01/2026
Plane is an an open-source project management tool. In plane.io, a guest user doesn't have a permission to access https[:]//app[.]plane[.]so/[:]slug/settings. Prior to Plane version 1.2.0, a problem occurs when the `/api/workspaces/:slug/members/` is accessible by guest and able to list of users on a specific workspace that they joined. Since the `display_name` in the response is actually the handler of the email, a malicious guest can still identify admin users' email addresses. Version 1.2.0 fixes this issue.
Severity CVSS v4.0: Pending analysis
Last modification:
02/01/2026

CVE-2025-9110
Publication date:
02/01/2026
An exposure of sensitive system information to an unauthorized control sphere vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to read application data.<br /> <br /> We have already fixed the vulnerability in the following versions:<br /> QTS 5.2.8.3332 build 20251128 and later<br /> QuTS hero h5.2.8.3321 build 20251117 and later<br /> QuTS hero h5.3.1.3250 build 20250912 and later
Severity CVSS v4.0: LOW
Last modification:
06/01/2026

CVE-2025-67269
Publication date:
02/01/2026
An integer underflow vulnerability exists in the `nextstate()` function in `gpsd/packet.c` of gpsd versions prior to commit `ffa1d6f40bca0b035fc7f5e563160ebb67199da7`. When parsing a NAVCOM packet, the payload length is calculated using `lexer-&gt;length = (size_t)c - 4` without checking if the input byte `c` is less than 4. This results in an unsigned integer underflow, setting `lexer-&gt;length` to a very large value (near `SIZE_MAX`). The parser then enters a loop attempting to consume this massive number of bytes, causing 100% CPU utilization and a Denial of Service (DoS) condition.
Severity CVSS v4.0: Pending analysis
Last modification:
09/01/2026

CVE-2025-59387
Publication date:
02/01/2026
An SQL injection vulnerability has been reported to affect MARS (Multi-Application Recovery Service). The remote attackers can then exploit the vulnerability to execute unauthorized code or commands.<br /> <br /> We have already fixed the vulnerability in the following version:<br /> MARS (Multi-Application Recovery Service) 1.2.1.1686 and later
Severity CVSS v4.0: HIGH
Last modification:
02/01/2026

CVE-2025-62840
Publication date:
02/01/2026
A generation of error message containing sensitive information vulnerability has been reported to affect HBS 3 Hybrid Backup Sync. If an attacker gains local network access, they can then exploit the vulnerability to read application data.<br /> <br /> We have already fixed the vulnerability in the following version:<br /> HBS 3 Hybrid Backup Sync 26.2.0.938 and later
Severity CVSS v4.0: HIGH
Last modification:
02/01/2026
Subscribe to Vulnerabilities