Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-59469
Publication date:
08/01/2026
This vulnerability allows a Backup or Tape Operator to write files as root.
Severity CVSS v4.0: Pending analysis
Last modification:
08/01/2026

CVE-2025-59470
Publication date:
08/01/2026
This vulnerability allows a Backup Operator to perform remote code execution (RCE) as the postgres user by sending a malicious interval or order parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
08/01/2026

CVE-2025-61547
Publication date:
08/01/2026
Cross-Site Request Forgery (CSRF) is present on all functions in edu Business Solutions Print Shop Pro WebDesk version 18.34. The application does not implement proper CSRF tokens or other other protective measures, allowing a remote attacker to trick authenticated users into unknowingly executing unintended actions within their session. This can lead to unauthorized data modification such as credential updates.
Severity CVSS v4.0: Pending analysis
Last modification:
08/01/2026

CVE-2025-59468
Publication date:
08/01/2026
This vulnerability allows a Backup Administrator to perform remote code execution (RCE) as the postgres user by sending a<br /> malicious password parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
08/01/2026

CVE-2025-61246
Publication date:
08/01/2026
indieka900 online-shopping-system-php 1.0 is vulnerable to SQL Injection in master/review_action.php via the proId parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
08/01/2026

CVE-2025-61548
Publication date:
08/01/2026
SQL Injection is present on the hfInventoryDistFormID parameter in the /PSP/appNET/Store/CartV12.aspx/GetUnitPrice endpoint in edu Business Solutions Print Shop Pro WebDesk version 18.34. Unsanitized user input is incorporated directly into SQL queries without proper parameterization or escaping. This vulnerability allows remote attackers to execute arbitrary SQL commands
Severity CVSS v4.0: Pending analysis
Last modification:
08/01/2026

CVE-2025-61549
Publication date:
08/01/2026
Cross-Site Scripting (XSS) is present on the LoginID parameter on the /PSP/app/web/reg/reg_display.asp endpoint in edu Business Solutions Print Shop Pro WebDesk version 18.34. Unsanitized user input is reflected in HTTP responses without proper HTML encoding or escaping. This allows attackers to execute arbitrary JavaScript in the context of a victim s browser session
Severity CVSS v4.0: Pending analysis
Last modification:
08/01/2026

CVE-2025-61550
Publication date:
08/01/2026
Cross-Site Scripting (XSS) is present on the ctl00_Content01_fieldValue parameters on the /psp/appNet/TemplateOrder/TemplatePreview.aspx endpoint in edu Business Solutions Print Shop Pro WebDesk version 18.34. User-supplied input is stored and later rendered in HTML pages without proper output encoding or sanitization. This allows attackers to persistently inject arbitrary JavaScript that executes in the context of other users&amp;#39; sessions
Severity CVSS v4.0: Pending analysis
Last modification:
08/01/2026

CVE-2025-56425
Publication date:
08/01/2026
An issue was discovered in the AppConnector component version 10.10.0.183 and earlier of enaio 10.10, in the AppConnector component version 11.0.0.183 and earlier of enaio 11.0, and in the AppConnctor component version 11.10.0.183 and earlier of enaio 11.10. The vulnerability allows authenticated remote attackers to inject arbitrary SMTP commands via crafted input to the /osrest/api/organization/sendmail endpoint
Severity CVSS v4.0: Pending analysis
Last modification:
08/01/2026

CVE-2025-55125
Publication date:
08/01/2026
This vulnerability allows a Backup or Tape Operator to perform remote code execution (RCE) as root by creating a malicious<br /> backup configuration file.
Severity CVSS v4.0: Pending analysis
Last modification:
08/01/2026

CVE-2025-50334
Publication date:
08/01/2026
An issue in Technitium DNS Server v.13.5 allows a remote attacker to cause a denial of service via the rate-limiting component
Severity CVSS v4.0: Pending analysis
Last modification:
08/01/2026

CVE-2025-56424
Publication date:
08/01/2026
An issue in Insiders Technologies GmbH e-invoice pro before release 1 Service Pack 2 allows a remote attacker to cause a denial of service via a crafted script
Severity CVSS v4.0: Pending analysis
Last modification:
08/01/2026
Subscribe to Vulnerabilities