Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-0661
Publication date:
13/02/2025
The DethemeKit For Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.36 via the duplicate_post() function due to insufficient restrictions on which posts can be duplicated. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from password protected, private, draft, or scheduled posts that they should not have access to by duplicating the post.
Severity CVSS v4.0: Pending analysis
Last modification:
24/02/2025

CVE-2024-47266
Publication date:
13/02/2025
Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in share file list functionality in Synology Active Backup for Business before 2.7.1-13234, 2.7.1-23234 and 2.7.1-3234 allows remote authenticated users with administrator privileges to read specific files containing non-sensitive information via unspecified vectors.
Severity CVSS v4.0: Pending analysis
Last modification:
26/02/2026

CVE-2024-47265
Publication date:
13/02/2025
Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in encrypted share umount functionality in Synology Active Backup for Business before 2.7.1-13234, 2.7.1-23234 and 2.7.1-3234 allows remote authenticated users to write specific files via unspecified vectors.
Severity CVSS v4.0: Pending analysis
Last modification:
26/02/2026

CVE-2025-0327
Publication date:
13/02/2025
CWE-269: Improper Privilege Management vulnerability exists for two services (of which one managing audit<br /> trail data and the other acting as server managing client request) that could cause a loss of Confidentiality,<br /> Integrity and Availability of engineering workstation when an attacker with standard privilege modifies the<br /> executable path of the windows services. To be exploited, services need to be restarted.
Severity CVSS v4.0: HIGH
Last modification:
15/04/2026

CVE-2025-0814
Publication date:
13/02/2025
CWE-20: Improper Input Validation vulnerability exists that could cause Denial-of-Service of the network<br /> services running on the product when malicious IEC61850-MMS packets are sent to the device. The core<br /> functionality of the breaker remains intact during the attack.
Severity CVSS v4.0: MEDIUM
Last modification:
15/04/2026

CVE-2024-13346
Publication date:
13/02/2025
The Avada | Website Builder For WordPress &amp; WooCommerce theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 7.11.13. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
Severity CVSS v4.0: Pending analysis
Last modification:
24/02/2025

CVE-2024-47264
Publication date:
13/02/2025
Improper limitation of a pathname to a restricted directory (&amp;#39;Path Traversal&amp;#39;) vulnerability in agent-related functionality in Synology Active Backup for Business before 2.7.1-13234, 2.7.1-23234 and 2.7.1-3234 allows remote authenticated users with administrator privileges to delete arbitrary files via unspecified vectors.
Severity CVSS v4.0: Pending analysis
Last modification:
26/02/2026

CVE-2024-13345
Publication date:
13/02/2025
The Avada Builder plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.11.13. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
Severity CVSS v4.0: Pending analysis
Last modification:
24/02/2025

CVE-2025-1060
Publication date:
13/02/2025
CWE-319: Cleartext Transmission of Sensitive Information vulnerability exists that could result in the exposure<br /> of data when network traffic is being sniffed by an attacker.
Severity CVSS v4.0: HIGH
Last modification:
15/04/2026

CVE-2025-1070
Publication date:
13/02/2025
CWE-434: Unrestricted Upload of File with Dangerous Type vulnerability exists that could render the device<br /> inoperable when a malicious file is downloaded.
Severity CVSS v4.0: HIGH
Last modification:
15/04/2026

CVE-2024-13121
Publication date:
13/02/2025
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile &amp; Restrict Content WordPress plugin before 4.15.20 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2025

CVE-2024-13125
Publication date:
13/02/2025
The Everest Forms WordPress plugin before 3.0.8.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2025
Subscribe to Vulnerabilities