Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-53489

Publication date:
03/07/2025
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - GoogleDocs4MW Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - GoogleDocs4MW Extension: from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2025

CVE-2025-53500

Publication date:
03/07/2025
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - MassEditRegex Extension allows Stored XSS.This issue affects Mediawiki - MassEditRegex Extension: from 1.39.X before 1.39.12, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2025

CVE-2025-53490

Publication date:
03/07/2025
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - CampaignEvents Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - CampaignEvents Extension: from 1.43.X before 1.43.2.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2025

CVE-2025-45938

Publication date:
03/07/2025
Akeles Out of Office Assistant for Jira 4.0.1 is vulberable to Cross Site Scripting (XSS) via the Jira fullName parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2025

CVE-2025-5961

Publication date:
03/07/2025
The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'wpvivid_upload_import_files' function in all versions up to, and including, 0.9.116. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. NOTE: Uploaded files are only accessible on WordPress instances running on the NGINX web server as the existing .htaccess within the target file upload folder prevents access on Apache servers.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2025

CVE-2025-50263

Publication date:
03/07/2025
Tenda AC6 v15.03.05.16_multi is vulnerable to Buffer Overflow in the fromSetRouteStatic function via the list parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2025

CVE-2025-50260

Publication date:
03/07/2025
Tenda AC6 v15.03.05.16_multi is vulnerable to Buffer Overflow in the formSetFirewallCfg function via the firewallEn parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2025

CVE-2025-50262

Publication date:
03/07/2025
Tenda AC6 v15.03.05.16_multi is vulnerable to Buffer Overflow in the formSetQosBand function via the list parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2025

CVE-2025-50258

Publication date:
03/07/2025
Tenda AC6 v15.03.05.16_multi is vulnerable to Buffer Overflow in the SetSysTimeCfg function via the time parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2025

CVE-2025-43713

Publication date:
03/07/2025
ASNA Assist and ASNA Registrar before 2025-03-31 allow deserialization attacks against .NET remoting. These are Windows system services that support license key management and deprecated Windows network authentication. The services are implemented with .NET remoting and can be exploited via well-known deserialization techniques inherent in the technology. Because the services run with SYSTEM-level rights, exploits can be crafted to achieve escalation of privilege and arbitrary code execution. This affects DataGate for SQL Server 17.0.36.0 and 16.0.89.0, DataGate Component Suite 17.0.36.0 and 16.0.89.0, DataGate Monitor 17.0.26.0 and 16.0.65.0, DataGate WebPak 17.0.37.0 and 16.0.90.0, Monarch for .NET 11.4.50.0 and 10.0.62.0, Encore RPG 4.1.36.0, Visual RPG .NET FW 17.0.37.0 and 16.0.90.0, Visual RPG .NET FW Windows Deployment 17.0.36.0 and 16.0.89.0, WingsRPG 11.0.38.0 and 10.0.95.0, Mobile RPG 11.0.35.0 and 10.0.94.0, Monarch Framework for .NET FW 11.0.36.0 and 10.0.89.0, Browser Terminal 17.0.37.0 and 16.0.90.0, Visual RPG Classic 5.2.7.0 and 5.1.17.0, Visual RPG Deployment 5.2.7.0 and 5.1.17.0, and DataGate Studio 17.0.38.0 and 16.0.104.0.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2025

CVE-2025-2932

Publication date:
03/07/2025
The JKDEVKIT plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'font_upload_handler' function in all versions up to, and including, 1.9.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). If WooCommerce is enabled, attackers will need Contributor-level access and above.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2025

CVE-2025-3702

Publication date:
03/07/2025
Missing Authorization vulnerability in Melapress Melapress File Monitor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Melapress File Monitor: from n/a before 2.2.0.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2025