Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-8383
Publication date:
31/10/2025
The Depicter plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions less than, or equal to, 4.0.4. This is due to missing or incorrect nonce validation on the depicter-document-rules-store function. This makes it possible for unauthenticated attackers to modify document rules via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2025

CVE-2025-62232
Publication date:
31/10/2025
Sensitive data exposure via logging in basic-auth leads to plaintext usernames and passwords written to error logs and forwarded to log sinks when log level is INFO/DEBUG. This creates a high risk of credential compromise through log access.<br /> It has been fixed in the following commit:  https://github.com/apache/apisix/pull/12629 <br /> Users are recommended to upgrade to version 3.14, which fixes this issue.
Severity CVSS v4.0: Pending analysis
Last modification:
05/11/2025

CVE-2025-30188
Publication date:
31/10/2025
Malicious or unintentional API requests can be used to add significant amount of data to caches. Caches may evict information that is required to operate the web frontend, which leads to unavailability of the component. Please deploy the provided updates and patch releases. No publicly available exploits are known
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2025

CVE-2025-30191
Publication date:
31/10/2025
Malicious content from E-Mail can be used to perform a redressing attack. Users can be tricked to perform unintended actions or provide sensitive information to a third party which would enable further threats. Attribute values containing HTML fragments are now denied by the sanitization procedure. No publicly available exploits are known
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2025

CVE-2025-30189
Publication date:
31/10/2025
When cache is enabled, some passdb/userdb drivers incorrectly cache all users with same cache key, causing wrong cached information to be used for these users. After cached login, all subsequent logins are for same user. Install fixed version or disable caching either globally or for the impacted passdb/userdb drivers. No publicly available exploits are known.
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2025

CVE-2025-12094
Publication date:
31/10/2025
The OOPSpam Anti-Spam: Spam Protection for WordPress Forms &amp; Comments (No CAPTCHA) plugin for WordPress is vulnerable to IP Header Spoofing in all versions up to, and including, 1.2.53. This is due to the plugin trusting client-controlled forwarded headers (such as CF-Connecting-IP, X-Forwarded-For, and others) without verifying that those headers originate from legitimate, trusted proxies. This makes it possible for unauthenticated attackers to spoof their IP address and bypass IP-based security controls, including blocked IP lists and rate limiting protections, by sending arbitrary HTTP headers with their requests.
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2025

CVE-2025-12175
Publication date:
31/10/2025
The The Events Calendar plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the &amp;#39;tec_qr_code_modal&amp;#39; AJAX endpoint in all versions up to, and including, 6.15.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view draft event names and generate/view QR codes for them.
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2025

CVE-2025-10897
Publication date:
31/10/2025
The WooCommerce Designer Pro theme for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 1.9.28. This makes it possible for unauthenticated attackers to read arbitrary files on the server, which can expose DB credentials when the wp-config.php file is read.
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2025

CVE-2025-6520
Publication date:
31/10/2025
Improper Neutralization of Special Elements used in an SQL Command (&amp;#39;SQL Injection&amp;#39;) vulnerability in Abis Technology BAPSIS allows Blind SQL Injection.This issue affects BAPSIS: before 202510271606.
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2025

CVE-2025-8385
Publication date:
31/10/2025
The Zombify plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.7.5. This is due to insufficient input validation in the zf_get_file_by_url function. This makes it possible for authenticated attackers, with subscriber-level access and above, to read arbitrary files on the server, including sensitive system files like /etc/passwd, via a forged request. It&amp;#39;s worth noting that successfully exploiting this vulnerability relies on a race condition as the file generated will be deleted immediately.
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2025

CVE-2025-7846
Publication date:
31/10/2025
The WordPress User Extra Fields plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the save_fields() function in all versions up to, and including, 16.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2025

CVE-2025-8489
Publication date:
31/10/2025
The King Addons for Elementor – Free Elements, Widgets, Templates, and Features for Elementor plugin for WordPress is vulnerable to privilege escalation in versions 24.12.92 to 51.1.14 . This is due to the plugin not properly restricting the roles that users can register with. This makes it possible for unauthenticated attackers to register with administrator-level user accounts.
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2025
Subscribe to Vulnerabilities