Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-34434
Publication date:
17/12/2025
AVideo versions prior to 20.0 with the ImageGallery plugin enabled is vulnerable to unauthenticated file upload and deletion. Plugin endpoints responsible for managing gallery images fail to enforce authentication checks and do not validate ownership, allowing unauthenticated attackers to upload or delete images associated with any image-based video.
Severity CVSS v4.0: CRITICAL
Last modification:
17/12/2025

CVE-2025-34435
Publication date:
17/12/2025
AVideo versions prior to 20.0 are vulnerable to an insecure direct object reference (IDOR) that allows any authenticated user to delete media files belonging to other users. The affected endpoint validates authentication but fails to verify ownership or edit permissions for the targeted video.
Severity CVSS v4.0: HIGH
Last modification:
17/12/2025

CVE-2025-14760
Publication date:
17/12/2025
Missing cryptographic key commitment in the AWS SDK for C++ may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts to different plaintext when the encrypted data key is stored in an "instruction file" instead of S3&amp;#39;s metadata record.<br /> <br /> To mitigate this issue, upgrade AWS SDK for C++ to version 1.11.712 or later
Severity CVSS v4.0: MEDIUM
Last modification:
17/12/2025

CVE-2025-14759
Publication date:
17/12/2025
Missing cryptographic key commitment in the Amazon S3 Encryption Client for .NET may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts to different plaintext when the encrypted data key is stored in an "instruction file" instead of S3&amp;#39;s metadata record.<br /> <br /> To mitigate this issue, upgrade Amazon S3 Encryption Client for .NET to version 3.2.0 or later.
Severity CVSS v4.0: MEDIUM
Last modification:
17/12/2025

CVE-2025-67171
Publication date:
17/12/2025
Incorrect access control in the /templates/ component of RiteCMS v3.1.0 allows attackers to access sensitive files via directory traversal.
Severity CVSS v4.0: Pending analysis
Last modification:
17/12/2025

CVE-2025-67174
Publication date:
17/12/2025
A local file inclusion (LFI) vulnerability in RiteCMS v3.1.0 allows attackers to read arbitrary files on the host via a directory traversal in the admin_language_file and default_page_language_file in the admin.php component
Severity CVSS v4.0: Pending analysis
Last modification:
17/12/2025

CVE-2025-67170
Publication date:
17/12/2025
A reflected cross-site scripting (XSS) vulnerability in RiteCMS v3.1.0 allows attackers to execute arbitrary code in the context of a user&amp;#39;s browser via a crafted payload.
Severity CVSS v4.0: Pending analysis
Last modification:
17/12/2025

CVE-2025-67173
Publication date:
17/12/2025
A Cross-Site Request Forgery (CSRF) in the page creation/editing function of RiteCMS v3.1.0 allows attackers to arbitrarily create pages via a crafted POST request.
Severity CVSS v4.0: Pending analysis
Last modification:
17/12/2025

CVE-2025-66953
Publication date:
17/12/2025
CSRF vulnerability in narda miteq Uplink Power Contril Unit UPC2 v.1.17 allows a remote attacker to execute arbitrary code via the Web-based management interface and specifically the /system_setup.htm, /set_clock.htm, /receiver_setup.htm, /cal.htm?..., and /channel_setup.htm endpoints
Severity CVSS v4.0: Pending analysis
Last modification:
17/12/2025

CVE-2025-67168
Publication date:
17/12/2025
RiteCMS v3.1.0 was discovered to use insecure encryption to store passwords.
Severity CVSS v4.0: Pending analysis
Last modification:
17/12/2025

CVE-2025-66395
Publication date:
17/12/2025
ChurchCRM is an open-source church management system. Prior to version 6.5.3, a SQL injection vulnerability exists in the `src/ListEvents.php` file. When filtering events by type, the `WhichType` POST parameter is not properly sanitized or type-casted before being used in multiple SQL queries. This allows any authenticated user to execute arbitrary SQL commands, including time-based blind SQL injection attacks. Any authenticated user, regardless of their privilege level, can execute arbitrary queries on the database. This could allow them to exfiltrate, modify, or delete any data in the database, including user credentials, financial data, and personal information, leading to a full compromise of the application&amp;#39;s data. Version 6.5.3 fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
17/12/2025

CVE-2025-62521
Publication date:
17/12/2025
ChurchCRM is an open-source church management system. Prior to version 5.21.0, a pre-authentication remote code execution vulnerability in ChurchCRM&amp;#39;s setup wizard allows unauthenticated attackers to inject arbitrary PHP code during the initial installation process, leading to complete server compromise. The vulnerability exists in `setup/routes/setup.php` where user input from the setup form is directly concatenated into a PHP configuration template without any validation or sanitization. Any parameter in the setup form can be used to inject PHP code that gets written to `Include/Config.php`, which is then executed on every page load. This is more severe than typical authenticated RCE vulnerabilities because it requires no credentials and affects the installation process that administrators must complete. Version 5.21.0 patches the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
17/12/2025
Subscribe to Vulnerabilities