Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-44754
Publication date:
28/02/2025
Cryptographic key extraction from internal flash in Minut M2 with firmware version #15142 allows physically proximate attackers to inject modified firmware into any other Minut M2 product via USB.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-26326
Publication date:
28/02/2025
A vulnerability was identified in the NVDA Remote (version 2.6.4) and Tele NVDA Remote (version 2025.3.3) remote connection add-ons, which allows an attacker to obtain total control of the remote system by guessing a weak password. The problem occurs because these add-ons accept any password entered by the user and do not have an additional authentication or computer verification mechanism. Tests indicate that more than 1,000 systems use easy-to-guess passwords, many with less than 4 to 6 characters, including common sequences. This allows brute force attacks or trial-and-error attempts by malicious invaders. The vulnerability can be exploited by a remote attacker who knows or can guess the password used in the connection. As a result, the attacker gains complete access to the affected system and can execute commands, modify files, and compromise user security.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-25916
Publication date:
28/02/2025
wuzhicms v4.1.0 has a Cross Site Scripting (XSS) vulnerability in del function in \coreframe\app\member\admin\group.php.
Severity CVSS v4.0: Pending analysis
Last modification:
29/04/2025

CVE-2025-1747
Publication date:
28/02/2025
HTML injection vulnerabilities in OpenCart versions prior to 4.1.0. These vulnerabilities could allow an attacker to modify the HTML of the victim's browser by sending a malicious URL and modifying the parameter name in /account/login.
Severity CVSS v4.0: Pending analysis
Last modification:
07/05/2025

CVE-2025-1748
Publication date:
28/02/2025
HTML injection vulnerabilities in OpenCart versions prior to 4.1.0. These vulnerabilities could allow an attacker to modify the HTML of the victim's browser by sending a malicious URL and modifying the parameter name in /account/register.
Severity CVSS v4.0: Pending analysis
Last modification:
07/05/2025

CVE-2025-1749
Publication date:
28/02/2025
HTML injection vulnerabilities in OpenCart versions prior to 4.1.0. These vulnerabilities could allow an attacker to modify the HTML of the victim's browser by sending a malicious URL and modifying the parameter name in /account/voucher.
Severity CVSS v4.0: Pending analysis
Last modification:
07/05/2025

CVE-2025-1776
Publication date:
28/02/2025
Cross-Site Scripting (XSS) vulnerability in Soteshop, versions prior to 8.3.4, which could allow remote attackers to execute arbitrary code via the ‘query’ parameter in /app-google-custom-search/searchResults. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-1746
Publication date:
28/02/2025
Cross-Site Scripting vulnerability in OpenCart versions prior to 4.1.0. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL using the search in the /product/search endpoint. This vulnerability could be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user.
Severity CVSS v4.0: Pending analysis
Last modification:
07/05/2025

CVE-2025-22274
Publication date:
28/02/2025
It is possible to inject HTML code into the page content using the "content" field in the "Application definition" page.<br /> <br /> <br /> This issue affects CyberArk Endpoint Privilege Manager in SaaS version 24.7.1. The status of other versions is unknown. After multiple attempts to contact the vendor we did not receive any answer.
Severity CVSS v4.0: LOW
Last modification:
15/04/2026

CVE-2025-1300
Publication date:
28/02/2025
CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. <br /> <br /> The CodeChecker web server contains an open redirect vulnerability due to missing protections against multiple slashes after the product name in the URL. This results in bypassing the protections against CVE-2021-28861, leading to the same open redirect pathway.<br /> <br /> This issue affects CodeChecker: through 6.24.5.
Severity CVSS v4.0: Pending analysis
Last modification:
14/11/2025

CVE-2025-1319
Publication date:
28/02/2025
The Site Mailer – SMTP Replacement, Email API Deliverability &amp; Email Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.2.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
08/04/2026

CVE-2025-22270
Publication date:
28/02/2025
An attacker with access to the Administration panel, specifically the "Role Management"<br /> tab, can<br /> inject code by adding a new role in the "name" field. It should be noted, however, that the risk of exploiting vulnerability is reduced due to the<br /> required additional error that allows bypassing the Content-Security-Policy policy, which<br /> mitigates JS code execution while still allowing HTML injection.<br /> <br /> <br /> This issue affects CyberArk Endpoint Privilege Manager in SaaS version 24.7.1. The status of other versions is unknown. After multiple attempts to contact the vendor we did not receive any answer.
Severity CVSS v4.0: HIGH
Last modification:
15/04/2026
Subscribe to Vulnerabilities