Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-12972
Publication date:
24/11/2025
Fluent Bit out_file plugin does not properly sanitize tag values when deriving output file names. When the File option is omitted, the plugin uses untrusted tag input to construct file paths. This allows attackers with network access to craft tags containing path traversal sequences that cause Fluent Bit to write files outside the intended output directory.
Severity CVSS v4.0: Pending analysis
Last modification:
28/11/2025

CVE-2025-12977
Publication date:
24/11/2025
Fluent Bit in_http, in_splunk, and in_elasticsearch input plugins fail to sanitize tag_key inputs. An attacker with network access or the ability to write records into Splunk or Elasticsearch can supply tag_key values containing special characters such as newlines or ../ that are treated as valid tags. Because tags influence routing and some outputs derive filenames or contents from tags, this can allow newline injection, path traversal, forged record injection, or log misrouting, impacting data integrity and log routing.
Severity CVSS v4.0: Pending analysis
Last modification:
28/11/2025

CVE-2025-11921
Publication date:
24/11/2025
iStats contains an insecure XPC service that allows local, unprivileged users to escalate their privileges to root via command injection.This issue affects iStats: 7.10.4.
Severity CVSS v4.0: HIGH
Last modification:
19/12/2025

CVE-2025-65998
Publication date:
24/11/2025
Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default option.<br /> <br /> When AES is configured, the default key value, hard-coded in the source code, is always used. This allows a malicious attacker, once obtained access to the internal database content, to reconstruct the original cleartext password values.<br /> This is not affecting encrypted plain attributes, whose values are also stored using AES encryption.<br /> <br /> Users are recommended to upgrade to version 3.0.15 / 4.0.3, which fix this issue.
Severity CVSS v4.0: Pending analysis
Last modification:
26/11/2025

CVE-2025-65503
Publication date:
24/11/2025
Use after free in endpoint destructors in Redboltz async_mqtt 10.2.5 allows local users to cause a denial of service via triggering SSL initialization failure that results in incorrect destruction order between io_context and endpoint objects.
Severity CVSS v4.0: Pending analysis
Last modification:
11/12/2025

CVE-2025-65502
Publication date:
24/11/2025
Null pointer dereference in add_ca_certs() in Cesanta Mongoose before 7.2 allows remote attackers to cause a denial of service via TLS initialization where SSL_CTX_get_cert_store() returns NULL.
Severity CVSS v4.0: Pending analysis
Last modification:
12/12/2025

CVE-2025-65501
Publication date:
24/11/2025
Null pointer dereference in coap_dtls_info_callback() in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a DTLS handshake where SSL_get_app_data() returns NULL.
Severity CVSS v4.0: Pending analysis
Last modification:
01/12/2025

CVE-2025-65500
Publication date:
24/11/2025
NULL pointer dereference in coap_dtls_generate_cookie() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted DTLS handshake that triggers SSL_get_SSL_CTX() to return NULL.
Severity CVSS v4.0: Pending analysis
Last modification:
01/12/2025

CVE-2025-65499
Publication date:
24/11/2025
Array index error in tls_verify_call_back() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted DTLS handshake that triggers SSL_get_ex_data_X509_STORE_CTX_idx() to return -1.
Severity CVSS v4.0: Pending analysis
Last modification:
01/12/2025

CVE-2025-65498
Publication date:
24/11/2025
NULL pointer dereference in coap_dtls_generate_cookie() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted DTLS handshake that triggers SSL_get_SSL_CTX() to return NULL.
Severity CVSS v4.0: Pending analysis
Last modification:
01/12/2025

CVE-2025-65497
Publication date:
24/11/2025
NULL pointer dereference in coap_dtls_generate_cookie() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted DTLS handshake that triggers SSL_get_SSL_CTX() to return NULL.
Severity CVSS v4.0: Pending analysis
Last modification:
01/12/2025

CVE-2025-65496
Publication date:
24/11/2025
NULL pointer dereference in coap_dtls_generate_cookie() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted DTLS handshake that triggers SSL_get_SSL_CTX() to return NULL.
Severity CVSS v4.0: Pending analysis
Last modification:
01/12/2025
Subscribe to Vulnerabilities