Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-3432
Publication date:
02/03/2026
On SimStudio version below to 0.5.74, the `/api/auth/oauth/token` endpoint contains a code path that bypasses all authorization checks when provided with `credentialAccountUserId` and `providerId` parameters. An unauthenticated attacker can retrieve OAuth access tokens for any user by supplying their user ID and a provider name, effectively stealing credentials to third-party services.
Severity CVSS v4.0: CRITICAL
Last modification:
02/03/2026

CVE-2025-14532
Publication date:
02/03/2026
DobryCMS&amp;#39;s upload file functionality allows an unauthenticated remote attacker to upload files of any type and extension without restriction, which can result in Remote Code Execution.<br /> <br /> This issue was fixed in versions above 5.0.
Severity CVSS v4.0: CRITICAL
Last modification:
02/03/2026

CVE-2025-12462
Publication date:
02/03/2026
A Blind SQL injection vulnerability has been identified in DobryCMS. A remote unauthenticated attacker is able to inject SQL syntax into URL path resulting in Blind SQL Injection.<br /> <br /> This issue was fixed in versions above 8.0.
Severity CVSS v4.0: CRITICAL
Last modification:
02/03/2026

CVE-2025-30042
Publication date:
02/03/2026
The CGM CLININET system provides smart card authentication; however, authentication is conducted locally on the client device, and, in reality, only the certificate number is used for access verification. As a result, possession of the certificate number alone is sufficient for authentication, regardless of the actual presence of the smart card or ownership of the private key.
Severity CVSS v4.0: CRITICAL
Last modification:
02/03/2026

CVE-2025-30044
Publication date:
02/03/2026
In the endpoints "/cgi-bin/CliniNET.prd/utils/usrlogstat_simple.pl", "/cgi-bin/CliniNET.prd/utils/usrlogstat.pl", "/cgi-bin/CliniNET.prd/utils/userlogstat2.pl", and "/cgi-bin/CliniNET.prd/utils/dblogstat.pl", the parameters are not sufficiently normalized, which enables code injection.
Severity CVSS v4.0: CRITICAL
Last modification:
02/03/2026

CVE-2025-30062
Publication date:
02/03/2026
In the "CheckUnitCodeAndKey.pl" service, the "validateOrgUnit" function is vulnerable to SQL injection.
Severity CVSS v4.0: MEDIUM
Last modification:
02/03/2026

CVE-2025-58402
Publication date:
02/03/2026
The CGM CLININET application uses direct, sequential object identifiers "MessageID" without proper authorization checks. By modifying the parameter in the GET request, an attacker can access messages and attachments belonging to other users.
Severity CVSS v4.0: HIGH
Last modification:
02/03/2026

CVE-2025-58405
Publication date:
02/03/2026
The CGM CLININET application does not implement any mechanisms that prevent clickjacking attacks, neither HTTP security headers nor HTML-based frame‑busting protections were detected. As a result, an attacker can embed the application inside a maliciously crafted IFRAME and trick users into performing unintended actions, including potentially bypassing CSRF/XSRF defenses.
Severity CVSS v4.0: MEDIUM
Last modification:
02/03/2026

CVE-2025-58406
Publication date:
02/03/2026
The CGM CLININET application respond without essential security HTTP headers, exposing users to client‑side attacks such as clickjacking, MIME sniffing, unsafe caching, weak cross‑origin isolation, and missing transport security controls.
Severity CVSS v4.0: MEDIUM
Last modification:
02/03/2026

CVE-2025-30035
Publication date:
02/03/2026
The vulnerability enables an attacker to fully bypass authentication in CGM CLININET and gain access to any active user account by supplying only the username, without requiring a password or any other credentials. Obtaining a session ID is sufficient for session takeover and grants access to the system with the privileges of the targeted user.
Severity CVSS v4.0: CRITICAL
Last modification:
02/03/2026

CVE-2025-10350
Publication date:
02/03/2026
SQL Injection vulnerability in "imageserver" module when processing C-FIND queries in CGM NETRAAD software allows attacker connected to PACS gaining access to database, including data processed by GCM CLININET software.This issue affects CGM NETRAAD with imageserver module in versions before 7.9.0.
Severity CVSS v4.0: HIGH
Last modification:
02/03/2026

CVE-2026-2584
Publication date:
02/03/2026
A critical SQL Injection (SQLi) vulnerability has been identified in the authentication module of the system. An unauthenticated, remote attacker (AV:N/PR:N) can exploit this flaw by sending specially crafted SQL queries through the login interface. Due to low attack complexity (AC:L) and the absence of specific requirements (AT:N), the vulnerability allows for a total compromise of the system&amp;#39;s configuration data (VC:H/VI:H). While the availability of the service remains unaffected (VA:N), the breach may lead to a limited exposure of sensitive information regarding subsequent or interconnected systems (SC:L).
Severity CVSS v4.0: CRITICAL
Last modification:
02/03/2026
Subscribe to Vulnerabilities