Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-32283
Publication date:
22/10/2025
Deserialization of Untrusted Data vulnerability in designthemes Solar Energy solar allows Object Injection.This issue affects Solar Energy: from n/a through
Severity CVSS v4.0: Pending analysis
Last modification:
22/10/2025

CVE-2025-32657
Publication date:
22/10/2025
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in RadiusTheme Testimonial Slider And Showcase Pro testimonial-slider-showcase-pro allows PHP Local File Inclusion.This issue affects Testimonial Slider And Showcase Pro: from n/a through
Severity CVSS v4.0: Pending analysis
Last modification:
22/10/2025

CVE-2025-39534
Publication date:
22/10/2025
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Somonator Terms Dictionary terms-dictionary allows Reflected XSS.This issue affects Terms Dictionary: from n/a through
Severity CVSS v4.0: Pending analysis
Last modification:
22/10/2025

CVE-2025-48082
Publication date:
22/10/2025
Incorrect Privilege Assignment vulnerability in Progress Planner Progress Planner progress-planner allows Privilege Escalation.This issue affects Progress Planner: from n/a through
Severity CVSS v4.0: Pending analysis
Last modification:
22/10/2025

CVE-2025-48091
Publication date:
22/10/2025
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Alexander AnyComment anycomment allows SQL Injection.This issue affects AnyComment: from n/a through
Severity CVSS v4.0: Pending analysis
Last modification:
22/10/2025

CVE-2025-48092
Publication date:
22/10/2025
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jurajpuchky Fix Multiple Redirects fix-multiple-redirects allows Reflected XSS.This issue affects Fix Multiple Redirects: from n/a through
Severity CVSS v4.0: Pending analysis
Last modification:
22/10/2025

CVE-2025-11965
Publication date:
22/10/2025
In Eclipse Vert.x versions [4.0.0, 4.5.21] and [5.0.0, 5.0.4], a StaticHandler configuration for restricting access to hidden files fails to restrict access to hidden directories, allowing unauthorized users to retrieve files within them (e.g. '.git/config').
Severity CVSS v4.0: MEDIUM
Last modification:
22/10/2025

CVE-2025-11966
Publication date:
22/10/2025
In Eclipse Vert.x versions [4.0.0, 4.5.21] and [5.0.0, 5.0.4], when "directory listing" is enabled, file and directory names are inserted into generated HTML without proper escaping in the href, title, and link attributes. An attacker who can create or rename files or directories within a served path can craft filenames containing malicious script or HTML content, leading to stored cross-site scripting (XSS) that executes in the context of users viewing the affected directory listing.
Severity CVSS v4.0: LOW
Last modification:
22/10/2025

CVE-2016-15048
Publication date:
22/10/2025
AMTT Hotel Broadband Operation System (HiBOS) contains an unauthenticated command injection vulnerability in the /manager/radius/server_ping.php endpoint. The application constructs a shell command that includes the user-supplied ip parameter and executes it without proper validation or escaping. An attacker can insert shell metacharacters into the ip parameter to inject and execute arbitrary system commands as the web server user. The initial third-party disclosure in 2016 recommended contacting the vendor for remediation guidance. Additionally, this product may have been rebranded under a different name. VulnCheck has observed this vulnerability being exploited in the wild as of 2025-10-14 at 04:45:53.510819 UTC.
Severity CVSS v4.0: CRITICAL
Last modification:
22/10/2025

CVE-2025-8848
Publication date:
22/10/2025
A vulnerability in danny-avila/librechat version 0.7.9 allows for HTML injection via the Accept-Language header. When a logged-in user sends an HTTP GET request with a crafted Accept-Language header, arbitrary HTML can be injected into the tag of the response. This can lead to potential security risks such as cross-site scripting (XSS) attacks.
Severity CVSS v4.0: Pending analysis
Last modification:
22/10/2025

CVE-2025-61035
Publication date:
22/10/2025
The seffaflik thru 0.0.9 is vulnerable to symlink attacks due to incorrect default permissions given to the .kimlik file and .seffaflik file, which is created with mode 0777 and 0775 respectively, exposing secrets to other local users. Additionally, the .kimlik file is written without symlink checks, allowing local attackers to overwrite arbitrary files. This can result in information disclosure and denial of service.
Severity CVSS v4.0: Pending analysis
Last modification:
22/10/2025

CVE-2025-56447
Publication date:
22/10/2025
TM2 Monitoring v3.04 contains an authentication bypass and plaintext credential disclosure.
Severity CVSS v4.0: Pending analysis
Last modification:
22/10/2025
Subscribe to Vulnerabilities