Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-58599
Publication date:
03/09/2025
Missing Authorization vulnerability in tychesoftwares Order Delivery Date for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Order Delivery Date for WooCommerce: from n/a through 4.1.0.
Severity CVSS v4.0: Pending analysis
Last modification:
04/09/2025

CVE-2025-57150
Publication date:
03/09/2025
phpgurukul Complaint Management System in PHP 2.0 is vulnerable to Cross Site Scripting (XSS) in admin/subcategory.php via the categoryName parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
04/09/2025

CVE-2025-57151
Publication date:
03/09/2025
phpgurukul Complaint Management System 2.0 is vulnerable to Cross Site Scripting (XSS) in admin/userprofile.php via the fullname parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
04/09/2025

CVE-2025-58593
Publication date:
03/09/2025
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeisle Orbit Fox by ThemeIsle allows Stored XSS. This issue affects Orbit Fox by ThemeIsle: from n/a through 3.0.0.
Severity CVSS v4.0: Pending analysis
Last modification:
04/09/2025

CVE-2025-58458
Publication date:
03/09/2025
In Jenkins Git client Plugin 6.3.2 and earlier, except 6.1.4 and 6.2.1, Git URL field form validation responses differ based on whether the specified file path exists on the controller when specifying `amazon-s3` protocol for use with JGit, allowing attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2025

CVE-2025-58459
Publication date:
03/09/2025
Jenkins global-build-stats Plugin 322.v22f4db_18e2dd and earlier does not perform permission checks in its REST API endpoints, allowing attackers with Overall/Read permission to enumerate graph IDs.
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2025

CVE-2025-58460
Publication date:
03/09/2025
A missing permission check in Jenkins OpenTelemetry Plugin 3.1543.v8446b_92b_cd64 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2025

CVE-2025-57148
Publication date:
03/09/2025
phpgurukul Online Shopping Portal 2.0 is vulnerable to Arbitrary File Upload in /admin/insert-product.php, due to the lack of extension validation.
Severity CVSS v4.0: Pending analysis
Last modification:
04/09/2025

CVE-2025-57149
Publication date:
03/09/2025
phpgurukul Complaint Management System 2.0 is vulnerable to SQL Injection in /complaint-details.php via the cid parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
04/09/2025

CVE-2025-57146
Publication date:
03/09/2025
phpgurukul Complaint Management System in PHP 2.0 is vulnerable to SQL Injection in user/reset-password.php via the mobileno parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
08/09/2025

CVE-2025-57147
Publication date:
03/09/2025
A SQL Injection vulnerability was found in phpgurukul Complaint Management System 2.0. The vulnerability is due to lack of input validation of multiple parameters including fullname, email, and contactno in user/registration.php.
Severity CVSS v4.0: Pending analysis
Last modification:
08/09/2025

CVE-2025-57052
Publication date:
03/09/2025
cJSON 1.5.0 through 1.7.18 allows out-of-bounds access via the decode_array_index_from_pointer function in cJSON_Utils.c, allowing remote attackers to bypass array bounds checking and access restricted data via malformed JSON pointer strings containing alphanumeric characters.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025
Subscribe to Vulnerabilities