Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-24849
Publication date:
28/02/2025
Lack of encryption in transit for cloud infrastructure facilitating potential for sensitive data manipulation or exposure.
Severity CVSS v4.0: HIGH
Last modification:
15/04/2026

CVE-2025-20049
Publication date:
28/02/2025
The Dario Health portal service application is vulnerable to XSS, which could allow an attacker to obtain sensitive information.
Severity CVSS v4.0: HIGH
Last modification:
15/04/2026

CVE-2025-20060
Publication date:
28/02/2025
An attacker could expose cross-user personal identifiable information (PII) and personal health information transmitted to the Android device via the Dario Health application database.
Severity CVSS v4.0: HIGH
Last modification:
15/04/2026

CVE-2025-23405
Publication date:
28/02/2025
Unauthenticated log effects metrics gathering incident response efforts and potentially exposes risk of injection attacks (ex log injection).
Severity CVSS v4.0: MEDIUM
Last modification:
15/04/2026

CVE-2025-24316
Publication date:
28/02/2025
The Dario Health Internet-based server infrastructure is vulnerable due to exposure of development environment details, which could lead to unsafe functionality.
Severity CVSS v4.0: MEDIUM
Last modification:
15/04/2026

CVE-2025-24318
Publication date:
28/02/2025
Cookie policy is observable via built-in browser tools. In the presence of XSS, this could lead to full session compromise.
Severity CVSS v4.0: MEDIUM
Last modification:
15/04/2026

CVE-2024-54175
Publication date:
28/02/2025
IBM MQ 9.3 LTS, 9.3 CD, 9.4 LTS, and 9.4 CD <br /> <br /> could allow a local user to cause a denial of service due to an improper check for unusual or exceptional conditions.
Severity CVSS v4.0: Pending analysis
Last modification:
26/09/2025

CVE-2025-0985
Publication date:
28/02/2025
IBM MQ 9.3 LTS, 9.3 CD, 9.4 LTS, and 9.4 CD <br /> <br /> stores potentially sensitive information in environment variables that could be obtained by a local user.
Severity CVSS v4.0: Pending analysis
Last modification:
30/09/2025

CVE-2025-26047
Publication date:
28/02/2025
Loggrove v1.0 is vulnerable to SQL Injection in the read.py file.
Severity CVSS v4.0: Pending analysis
Last modification:
12/06/2025

CVE-2025-26263
Publication date:
28/02/2025
GeoVision ASManager Windows desktop application with the version 6.1.2.0 or less (fixed in 6.2.0), is vulnerable to credentials disclosure due to improper memory handling in the ASManagerService.exe process.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-27400
Publication date:
28/02/2025
Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Versions prior to 20.12.3 and 20.13.0 contain a vulnerability that allows script execution in the admin panel which could lead to cross-site scripting against authenticated admin users. The attack requires an admin user with configuration access, so in practicality it is not very likely to be useful given that a user with this level of access is probably already a full admin. Versions 20.12.3 and 20.13.0 contain a patch for the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-25461
Publication date:
28/02/2025
A Stored Cross-Site Scripting (XSS) vulnerability exists in SeedDMS 6.0.29. A user or rogue admin with the "Add Category" permission can inject a malicious XSS payload into the category name field. When a document is subsequently associated with this category, the payload is stored on the server and rendered without proper sanitization or output encoding. This results in the XSS payload executing in the browser of any user who views the document.
Severity CVSS v4.0: Pending analysis
Last modification:
09/07/2025
Subscribe to Vulnerabilities