Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-26538
Publication date:
13/02/2025
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dan Rossiter Prezi Embedder allows Stored XSS. This issue affects Prezi Embedder: from n/a through 2.1.
Severity CVSS v4.0: Pending analysis
Last modification:
13/02/2025

CVE-2025-26539
Publication date:
13/02/2025
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in petkivim Embed Google Map allows Stored XSS. This issue affects Embed Google Map: from n/a through 3.2.
Severity CVSS v4.0: Pending analysis
Last modification:
13/02/2025

CVE-2025-26543
Publication date:
13/02/2025
Cross-Site Request Forgery (CSRF) vulnerability in Pukhraj Suthar Simple Responsive Menu allows Stored XSS. This issue affects Simple Responsive Menu: from n/a through 2.1.
Severity CVSS v4.0: Pending analysis
Last modification:
18/02/2025

CVE-2025-1247
Publication date:
13/02/2025
A flaw was found in Quarkus REST that allows request parameters to leak between concurrent requests if endpoints use field injection without a CDI scope. This vulnerability allows attackers to manipulate request data, impersonate users, or access sensitive information.
Severity CVSS v4.0: Pending analysis
Last modification:
03/03/2025

CVE-2025-1270
Publication date:
13/02/2025
Insecure direct object reference (IDOR) vulnerability in Anapi Group's h6web, allows an authenticated attacker to access other users' information by making a POST request and modifying the “pkrelated” parameter in the “/h6web/ha_datos_hermano.php” endpoint to refer to another user. In addition, the first request could also allow the attacker to impersonate other users. As a result, all requests made after exploitation of the IDOR vulnerability will be executed with the privileges of the impersonated user.
Severity CVSS v4.0: Pending analysis
Last modification:
13/02/2025

CVE-2025-1271
Publication date:
13/02/2025
Reflected Cross-Site Scripting (XSS) in Anapi Group's h6web. This security flaw could allow an attacker to inject malicious JavaScript code into a URL. When a user accesses that URL, the injected code is executed in their browser, which can result in the theft of sensitive information, identity theft or the execution of unauthorised actions on behalf of the affected user.
Severity CVSS v4.0: Pending analysis
Last modification:
13/02/2025

CVE-2025-1094
Publication date:
13/02/2025
Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns. Specifically, SQL injection requires the application to use the function result to construct input to psql, the PostgreSQL interactive terminal. Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of command line arguments to achieve SQL injection when client_encoding is BIG5 and server_encoding is one of EUC_TW or MULE_INTERNAL. Versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected.
Severity CVSS v4.0: Pending analysis
Last modification:
21/02/2025

CVE-2024-13182
Publication date:
13/02/2025
The WP Directorybox Manager plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.5. This is due to incorrect authentication in the 'wp_dp_parse_request' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator.
Severity CVSS v4.0: Pending analysis
Last modification:
13/02/2025

CVE-2025-21700
Publication date:
13/02/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: sched: Disallow replacing of child qdisc from one parent to another<br /> <br /> Lion Ackermann was able to create a UAF which can be abused for privilege<br /> escalation with the following script<br /> <br /> Step 1. create root qdisc<br /> tc qdisc add dev lo root handle 1:0 drr<br /> <br /> step2. a class for packet aggregation do demonstrate uaf<br /> tc class add dev lo classid 1:1 drr<br /> <br /> step3. a class for nesting<br /> tc class add dev lo classid 1:2 drr<br /> <br /> step4. a class to graft qdisc to<br /> tc class add dev lo classid 1:3 drr<br /> <br /> step5.<br /> tc qdisc add dev lo parent 1:1 handle 2:0 plug limit 1024<br /> <br /> step6.<br /> tc qdisc add dev lo parent 1:2 handle 3:0 drr<br /> <br /> step7.<br /> tc class add dev lo classid 3:1 drr<br /> <br /> step 8.<br /> tc qdisc add dev lo parent 3:1 handle 4:0 pfifo<br /> <br /> step 9. Display the class/qdisc layout<br /> <br /> tc class ls dev lo<br /> class drr 1:1 root leaf 2: quantum 64Kb<br /> class drr 1:2 root leaf 3: quantum 64Kb<br /> class drr 3:1 root leaf 4: quantum 64Kb<br /> <br /> tc qdisc ls<br /> qdisc drr 1: dev lo root refcnt 2<br /> qdisc plug 2: dev lo parent 1:1<br /> qdisc pfifo 4: dev lo parent 3:1 limit 1000p<br /> qdisc drr 3: dev lo parent 1:2<br /> <br /> step10. trigger the bug
Severity CVSS v4.0: Pending analysis
Last modification:
24/03/2025

CVE-2024-13867
Publication date:
13/02/2025
The Listivo - Classified Ads WordPress Theme theme for WordPress is vulnerable to Reflected Cross-Site Scripting via the &amp;#39;s&amp;#39; parameter in all versions up to, and including, 2.3.67 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity CVSS v4.0: Pending analysis
Last modification:
18/02/2025

CVE-2024-13606
Publication date:
13/02/2025
The JS Help Desk – The Ultimate Help Desk &amp; Support Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.8.8 via the &amp;#39;jssupportticketdata&amp;#39; directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely in the /wp-content/uploads/jssupportticketdata directory which can contain file attachments included in support tickets.
Severity CVSS v4.0: Pending analysis
Last modification:
18/02/2025

CVE-2024-3303
Publication date:
13/02/2025
An issue was discovered in GitLab EE affecting all versions starting from 16.0 prior to 17.6.5, starting from 17.7 prior to 17.7.4, and starting from 17.8 prior to 17.8.2, which allows an attacker to exfiltrate contents of a private issue using prompt injection.
Severity CVSS v4.0: Pending analysis
Last modification:
13/02/2025
Subscribe to Vulnerabilities