Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-59116
Publication date:
18/11/2025
Windu CMS is vulnerable to User Enumeration. This issue occurs during logon, where a difference in messages could allow an attacker to determine if the login is valid or not, enabling a brute force attack with valid logins.<br /> <br /> Only version 4.1 was tested and confirmed as vulnerable.<br /> This issue was fixed in version 4.1 build 2250.
Severity CVSS v4.0: MEDIUM
Last modification:
05/12/2025

CVE-2025-59117
Publication date:
18/11/2025
Windu CMS is vulnerable to multiple Stored Cross-Site Scripting (XSS) vulnerabilities in the page editing endpoint windu/admin/content/pages/edit/. <br /> This vulnerability can be exploited by a privileged user and may target users with higher privileges.<br /> <br /> Only version 4.1 was tested and confirmed as vulnerable.<br /> This issue was fixed in version 4.1 build 2250.
Severity CVSS v4.0: MEDIUM
Last modification:
05/12/2025

CVE-2025-59112
Publication date:
18/11/2025
Windu CMS is vulnerable to Cross-Site Request Forgery in user editing functionality. Malicious attacker can craft special website, which when visited by the victim, will automatically send POST request that deletes given user.<br /> <br /> Only version 4.1 was tested and confirmed as vulnerable.<br /> This issue was fixed in version 4.1 build 2250.
Severity CVSS v4.0: MEDIUM
Last modification:
05/12/2025

CVE-2025-59113
Publication date:
18/11/2025
Windu CMS implements weak client-side brute-force protection by using parameter loginError. Information about attempt count or timeout is not stored on the server, which allows a malicious attacker to bypass this brute-force protection by resetting this parameter.<br /> <br /> Only version 4.1 was tested and confirmed as vulnerable.<br /> This issue was fixed in version 4.1 build 2250.
Severity CVSS v4.0: MEDIUM
Last modification:
05/12/2025

CVE-2025-59114
Publication date:
18/11/2025
Windu CMS is vulnerable to Cross-Site Request Forgery in file uploading functionality. Malicious attacker can craft special website, which when visited by the victim, will automatically send malicious file to the server.<br /> <br /> Only version 4.1 was tested and confirmed as vulnerable.<br /> This issue was fixed in version 4.1 build 2250.
Severity CVSS v4.0: MEDIUM
Last modification:
05/12/2025

CVE-2025-59115
Publication date:
18/11/2025
Windu CMS is vulnerable to Stored Cross-Site Scripting (XSS) in the logon page where input data has no proper validation. Malicious attacker can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting logs page by admin.<br /> <br /> Only version 4.1 was tested and confirmed as vulnerable.<br /> This issue was fixed in version 4.1 build 2250.
Severity CVSS v4.0: MEDIUM
Last modification:
05/12/2025

CVE-2025-55179
Publication date:
18/11/2025
Incomplete validation of rich response messages in WhatsApp for iOS prior to v2.25.23.73, WhatsApp Business for iOS v2.25.23.82, and WhatsApp for Mac v2.25.23.83 could have allowed a user to trigger processing of media content from an arbitrary URL on another user’s device. We have not seen evidence of exploitation in the wild.
Severity CVSS v4.0: Pending analysis
Last modification:
25/11/2025

CVE-2025-59110
Publication date:
18/11/2025
Windu CMS is vulnerable to Cross-Site Request Forgery in user editing functionality. Implemented CSRF protection mechanism can be bypassed by using CSRF token of other user. It is worth noting that the registration is open and anyone can create an account.<br /> <br /> Only version 4.1 was tested and confirmed as vulnerable.<br /> This issue was fixed in version 4.1 build 2250.
Severity CVSS v4.0: MEDIUM
Last modification:
05/12/2025

CVE-2025-59111
Publication date:
18/11/2025
Windu CMS is vulnerable to Broken Access Control in user editing functionality. Malicious attacker can send a GET request which allows privileged users to delete Super Admins which is not possible with GUI.<br /> <br /> Only version 4.1 was tested and confirmed as vulnerable.<br /> This issue was fixed in version 4.1 build 2250.
Severity CVSS v4.0: MEDIUM
Last modification:
05/12/2025

CVE-2025-13349
Publication date:
18/11/2025
A vulnerability has been found in SourceCodester Student Grades Management System 1.0. This issue affects some unknown processing of the file /grades.php of the component Add New Grade Page. The manipulation of the argument Remarks leads to cross site scripting. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
20/11/2025

CVE-2025-13347
Publication date:
18/11/2025
A flaw has been found in SourceCodester Train Station Ticketing System 1.0. This vulnerability affects unknown code of the file /ajax.php?action=save_user. Executing manipulation of the argument Username can lead to sql injection. The attack may be launched remotely. The exploit has been published and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
19/11/2025

CVE-2025-13346
Publication date:
18/11/2025
A vulnerability was detected in SourceCodester Train Station Ticketing System 1.0. This affects an unknown part of the file /ajax.php?action=save_station. Performing manipulation of the argument id/station results in sql injection. The attack may be initiated remotely. The exploit is now public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
19/11/2025
Subscribe to Vulnerabilities