Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-68383
Publication date:
18/12/2025
Improper Validation of Specified Index, Position, or Offset in Input (CWE-1285) in Filebeat Syslog parser and the Libbeat Dissect processor can allow a user to trigger a Buffer Overflow (CAPEC-100) and cause a denial of service (panic/crash) of the Filebeat process via either a malformed Syslog message or a malicious tokenizer pattern in the Dissect configuration.
Severity CVSS v4.0: Pending analysis
Last modification:
23/12/2025

CVE-2025-65046
Publication date:
18/12/2025
Microsoft Edge (Chromium-based) Spoofing Vulnerability
Severity CVSS v4.0: Pending analysis
Last modification:
06/01/2026

CVE-2025-65041
Publication date:
18/12/2025
Improper authorization in Microsoft Partner Center allows an unauthorized attacker to elevate privileges over a network.
Severity CVSS v4.0: Pending analysis
Last modification:
06/01/2026

CVE-2025-65037
Publication date:
18/12/2025
Improper control of generation of code ('code injection') in Azure Container Apps allows an unauthorized attacker to execute code over a network.
Severity CVSS v4.0: Pending analysis
Last modification:
15/01/2026

CVE-2025-64677
Publication date:
18/12/2025
Improper neutralization of input during web page generation ('cross-site scripting') in Office Out-of-Box Experience allows an unauthorized attacker to perform spoofing over a network.
Severity CVSS v4.0: Pending analysis
Last modification:
16/01/2026

CVE-2025-64676
Publication date:
18/12/2025
'.../...//' in Microsoft Purview allows an authorized attacker to execute code over a network.
Severity CVSS v4.0: Pending analysis
Last modification:
06/01/2026

CVE-2025-64663
Publication date:
18/12/2025
Custom Question Answering Elevation of Privilege Vulnerability
Severity CVSS v4.0: Pending analysis
Last modification:
16/01/2026

CVE-2025-34452
Publication date:
18/12/2025
Streama versions 1.10.0 through 1.10.5 and prior to commit b7c8767 contain a combination of path traversal and server-side request forgery (SSRF) vulnerabilities in that allow an authenticated attacker to write arbitrary files to the server filesystem. The issue exists in the subtitle download functionality, where user-controlled parameters are used to fetch remote content and construct file paths without proper validation. By supplying a crafted subtitle download URL and a path traversal sequence in the file name, an attacker can write files to arbitrary locations on the server, potentially leading to remote code execution.
Severity CVSS v4.0: HIGH
Last modification:
19/12/2025

CVE-2025-34450
Publication date:
18/12/2025
merbanan/rtl_433 versions up to and including 25.02 and prior to commit 25e47f8 contain a stack-based buffer overflow vulnerability in the function parse_rfraw() located in src/rfraw.c. When processing crafted or excessively large raw RF input data, the application may write beyond the bounds of a stack buffer, resulting in memory corruption or a crash. This vulnerability can be exploited to cause a denial of service and, under certain conditions, may be leveraged for further exploitation depending on the execution environment and available mitigations.
Severity CVSS v4.0: MEDIUM
Last modification:
31/12/2025

CVE-2025-34451
Publication date:
18/12/2025
rofl0r/proxychains-ng versions up to and including 4.17 and prior to commit cc005b7 contain a stack-based buffer overflow vulnerability in the function proxy_from_string() located in src/libproxychains.c. When parsing crafted proxy configuration entries containing overly long username or password fields, the application may write beyond the bounds of fixed-size stack buffers, leading to memory corruption or crashes. This vulnerability may allow denial of service and, under certain conditions, could be leveraged for further exploitation depending on the execution environment and applied mitigations.
Severity CVSS v4.0: MEDIUM
Last modification:
31/12/2025

CVE-2025-34449
Publication date:
18/12/2025
Genymobile/scrcpy versions up to and including 3.3.3, prior to commit 3e40b24, contain a buffer overflow vulnerability in the sc_device_msg_deserialize() function. A compromised device can send crafted messages that cause out-of-bounds reads, which may result in memory corruption or a denial-of-service condition. This vulnerability may allow further exploitation on the host system.
Severity CVSS v4.0: MEDIUM
Last modification:
03/01/2026

CVE-2025-13427
Publication date:
18/12/2025
An authentication bypass vulnerability in Google Cloud Dialogflow CX Messenger allowed unauthenticated users to interact with restricted chat agents, gaining access to the agents&amp;#39; knowledge and the ability to trigger their intents, by manipulating initialization parameters or crafting specific API requests. <br /> <br /> All versions after August 20th, 2025 have been updated to protect from this vulnerability. No user action is required for this.
Severity CVSS v4.0: MEDIUM
Last modification:
19/12/2025
Subscribe to Vulnerabilities