Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-42926
Publication date:
09/09/2025
SAP NetWeaver Application Server Java does not perform an authentication check when an attacker attempts to access internal files within the web application.Upon successfully exploitation, an unauthenticated attacker could access these files to gather additional sensitive information about the system.This vulnerability has a low impact on confidentiality and does not affect the integrity or availability of the server.
Severity CVSS v4.0: Pending analysis
Last modification:
23/10/2025

CVE-2025-42927
Publication date:
09/09/2025
SAP NetWeaver AS Java application uses Adobe Document Service, installed with a vulnerable version of OpenSSL.Successful exploitation of known vulnerabilities in the outdated OpenSSL library would allow user with high system privileges to access and modify system information.This vulnerability has a low impact on confidentiality and integrity, with no impact on availability.
Severity CVSS v4.0: Pending analysis
Last modification:
09/09/2025

CVE-2025-42929
Publication date:
09/09/2025
Due to missing input validation, an attacker with high privilege access to ABAP reports could delete the content of arbitrary database tables, if the tables are not protected by an authorization group. This leads to a high impact on integrity and availability of the database.
Severity CVSS v4.0: Pending analysis
Last modification:
09/09/2025

CVE-2025-42930
Publication date:
09/09/2025
SAP Business Planning and Consolidation allows an authenticated standard user to call a function module by crafting specific parameters that causes a loop, consuming excessive resources and resulting in system unavailability. This leads to high impact on the availability of the application, there is no impact on confidentiality or integrity.
Severity CVSS v4.0: Pending analysis
Last modification:
09/09/2025

CVE-2025-42933
Publication date:
09/09/2025
When a user logs in via SAP Business One native client, the SLD backend service fails to enforce proper encryption of certain APIs. This leads to exposure of sensitive credentials within http response body. As a result, it has a high impact on the confidentiality, integrity, and availability of the application.
Severity CVSS v4.0: Pending analysis
Last modification:
09/09/2025

CVE-2025-42938
Publication date:
09/09/2025
Due to a Cross-Site Scripting (XSS) vulnerability in the SAP NetWeaver ABAP Platform, an unauthenticated attacker could generate a malicious link and make it publicly accessible. If an authenticated user clicks on this link, the injected input is processed during the website�s page generation, resulting in the creation of malicious content. When executed, this content allows the attacker to access or modify information within the victim's browser scope, impacting the confidentiality and integrity�while availability remains unaffected.
Severity CVSS v4.0: Pending analysis
Last modification:
09/09/2025

CVE-2025-42918
Publication date:
09/09/2025
SAP NetWeaver Application Server for ABAP allows authenticated users with access to background processing to gain unauthorized read access to profile parameters. This results in a low impact on confidentiality, with no impact on integrity or availability
Severity CVSS v4.0: Pending analysis
Last modification:
23/10/2025

CVE-2025-42920
Publication date:
09/09/2025
Due to a Cross-Site Scripting (XSS) vulnerability in the SAP Supplier Relationship Management, an unauthenticated attacker could generate a malicious link and make it publicly accessible. If an authenticated victim clicks on the link, the injected input is processed during the page generation, resulting in the execution of malicious content. This execution allows the attacker to access and modify information within the victim's browser scope, impacting confidentiality and integrity, while availability remains unaffected.
Severity CVSS v4.0: Pending analysis
Last modification:
24/10/2025

CVE-2025-42922
Publication date:
09/09/2025
SAP NetWeaver AS Java allows an attacker authenticated as a non-administrative user to use a flaw in an available service to upload an arbitrary file. This file when executed can lead to a full compromise of confidentiality, integrity and availability of the system.
Severity CVSS v4.0: Pending analysis
Last modification:
09/09/2025

CVE-2025-42923
Publication date:
09/09/2025
Due to insufficient CSRF protection in SAP Fiori App Manage Work Center Groups, an authenticated user could be tricked by an attacker to send unintended request to the web server. This has low impact on integrity and no impact on confidentiality and availability of the application.
Severity CVSS v4.0: Pending analysis
Last modification:
09/09/2025

CVE-2025-42925
Publication date:
09/09/2025
Due to the lack of randomness in assigning Object Identifiers in the SAP NetWeaver AS JAVA IIOP service, an authenticated attacker with low privileges could predict the identifiers by conducting a brute force search. By leveraging knowledge of several identifiers generated close to the same time, the attacker could determine a desired identifier which could enable them to access limited system information. This poses a low risk to confidentiality without impacting the integrity or availability of the service.
Severity CVSS v4.0: Pending analysis
Last modification:
09/09/2025

CVE-2025-42913
Publication date:
09/09/2025
Due to missing authorization checks, SAP HCM My Timesheet Fiori 2.0 application allows an authenticated attacker with in-depth system knowledge to escalate privileges and perform activities that are otherwise restricted, resulting in a low impact on the integrity of the application. Confidentiality and availability are not impacted.
Severity CVSS v4.0: Pending analysis
Last modification:
09/09/2025
Subscribe to Vulnerabilities