Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-51947
Publication date:
03/03/2025
There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.
Severity CVSS v4.0: Pending analysis
Last modification:
10/04/2025

CVE-2024-51948
Publication date:
03/03/2025
There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.
Severity CVSS v4.0: Pending analysis
Last modification:
10/04/2025

CVE-2024-10904
Publication date:
03/03/2025
There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.
Severity CVSS v4.0: Pending analysis
Last modification:
10/04/2025

CVE-2025-27499
Publication date:
03/03/2025
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. A Stored Cross-Site Scripting (XSS) vulnerability was identified in the processa_edicao_socio.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the socio_nome parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk. This vulnerability is fixed in 3.2.10.
Severity CVSS v4.0: MEDIUM
Last modification:
06/03/2025

CVE-2025-27500
Publication date:
03/03/2025
OpenZiti is a free and open source project focused on bringing zero trust to any application. An endpoint(/api/upload) on the admin panel can be accessed without any form of authentication. This endpoint accepts an HTTP POST to upload a file which is then stored on the node and is available via URL. This can lead to a stored cross site scripting attack if the file uploaded contains malicious code and is then accessed and executed within the context of the user's browser. This function is no longer necessary as the ziti-console moves from a node server application to a single page application, and has been disabled. The vulnerability is fixed in 3.7.1.
Severity CVSS v4.0: Pending analysis
Last modification:
05/03/2025

CVE-2025-27501
Publication date:
03/03/2025
OpenZiti is a free and open source project focused on bringing zero trust to any application. An endpoint on the admin panel can be accessed without any form of authentication. This endpoint accepts a user-supplied URL parameter to connect to an OpenZiti Controller and performs a server-side request, resulting in a potential Server-Side Request Forgery (SSRF) vulnerability. The fixed version has moved the request to the external controller from the server side to the client side, thereby eliminating the identity of the node from being used to gain any additional permissions. This vulnerability is fixed in 3.7.1.
Severity CVSS v4.0: Pending analysis
Last modification:
23/04/2025

CVE-2025-25967
Publication date:
03/03/2025
Acora CMS version 10.1.1 is vulnerable to Cross-Site Request Forgery (CSRF). This flaw enables attackers to trick authenticated users into performing unauthorized actions, such as account deletion or user creation, by embedding malicious requests in external content. The lack of CSRF protections allows exploitation via crafted requests.
Severity CVSS v4.0: Pending analysis
Last modification:
06/03/2025

CVE-2025-26206
Publication date:
03/03/2025
Cross Site Request Forgery vulnerability in sell done storefront v.1.0 allows a remote attacker to escalate privileges via the index.html component
Severity CVSS v4.0: Pending analysis
Last modification:
07/07/2025

CVE-2025-25939
Publication date:
03/03/2025
Reprise License Manager 14.2 is vulnerable to reflected cross-site scripting in /goform/activate_process via the akey parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
30/12/2025

CVE-2025-1877
Publication date:
03/03/2025
A vulnerability, which was classified as critical, was found in D-Link DAP-1562 1.10. This affects the function pure_auth_check of the component HTTP POST Request Handler. The manipulation of the argument a1 leads to null pointer dereference. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.
Severity CVSS v4.0: HIGH
Last modification:
06/03/2025

CVE-2025-1878
Publication date:
03/03/2025
A vulnerability has been found in i-Drive i11 and i12 up to 20250227 and classified as problematic. This vulnerability affects unknown code of the component WiFi. The manipulation leads to use of default password. Access to the local network is required for this attack to succeed. The complexity of an attack is rather high. The exploitation appears to be difficult. It was not possible to identify the current maintainer of the product. It must be assumed that the product is end-of-life.
Severity CVSS v4.0: LOW
Last modification:
06/03/2025

CVE-2025-1889
Publication date:
03/03/2025
picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. An attacker could craft a malicious model that uses Pickle and include a malicious pickle file with a non-standard file extension. Because the malicious pickle file inclusion is not considered as part of the scope of picklescan, the file would pass security checks and appear to be safe, when it could instead prove to be problematic.
Severity CVSS v4.0: MEDIUM
Last modification:
29/12/2025
Subscribe to Vulnerabilities