Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-57203
Publication date:
22/09/2025
MagicProject AI version 9.1 is affected by a Cross-Site Scripting (XSS) vulnerability within the chatbot generation feature available to authenticated admin users. The vulnerability resides in the prompt parameter submitted to the /dashboard/user/generator/generate-stream endpoint via a multipart/form-data POST request. Due to insufficient input sanitization, attackers can inject HTML-based JavaScript payloads. This payload is stored and rendered unsanitized in subsequent views, leading to execution in other users' browsers when they access affected content. This issue allows an authenticated attacker to execute arbitrary JavaScript in the context of another user, potentially leading to session hijacking, privilege escalation, data exfiltration, or administrative account takeover. The application does not implement a Content Security Policy (CSP) or adequate input filtering to prevent such attacks. A fix should include proper sanitization, output encoding, and strong CSP enforcement to mitigate exploitation.
Severity CVSS v4.0: Pending analysis
Last modification:
03/10/2025

CVE-2025-59433
Publication date:
22/09/2025
Conventional Changelog generates changelogs and release notes from a project's commit messages and metadata. Prior to version 2.0.0, @conventional-changelog/git-client has an argument injection vulnerability. This vulnerability manifests with the library's getTags() API, which allows extra parameters to be passed to the git log command. In another API by this library, getRawCommits(), there are secure practices taken to ensure that the extra parameter path is unable to inject an argument by ending the git log command with the special shell syntax --. However, the library does not follow the same practice for getTags() as it does not attempt to sanitize for user input, validate the given params, or restrict them to an allow list. Nor does it properly pass command-line flags to the git binary using the double-dash POSIX characters (--) to communicate the end of options. Thus, allowing users to exploit an argument injection vulnerability in Git due to the --output= command-line option that results with overwriting arbitrary files. This issue has been patched in version 2.0.0.
Severity CVSS v4.0: Pending analysis
Last modification:
22/09/2025

CVE-2025-59432
Publication date:
22/09/2025
SCRAM (Salted Challenge Response Authentication Mechanism) is part of the family of Simple Authentication and Security Layer (SASL, RFC 4422) authentication mechanisms. Prior to version 3.2, a timing attack vulnerability exists in the SCRAM Java implementation. The issue arises because Arrays.equals was used to compare secret values such as client proofs and server signatures. Since Arrays.equals performs a short-circuit comparison, the execution time varies depending on how many leading bytes match. This behavior could allow an attacker to perform a timing side-channel attack and potentially infer sensitive authentication material. All users relying on SCRAM authentication are impacted. This vulnerability has been patched in version 3.1 by replacing Arrays.equals with MessageDigest.isEqual, which ensures constant-time comparison.
Severity CVSS v4.0: MEDIUM
Last modification:
23/01/2026

CVE-2025-10812
Publication date:
22/09/2025
A vulnerability has been found in code-projects Hostel Management System 1.0. This impacts an unknown function of the file /justines/admin/mod_amenities/index.php?view=view. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
23/09/2025

CVE-2025-8892
Publication date:
22/09/2025
A maliciously crafted PRT file, when parsed through certain Autodesk products, can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process.
Severity CVSS v4.0: Pending analysis
Last modification:
25/09/2025

CVE-2025-9960
Publication date:
22/09/2025
A restriction bypass vulnerability in is-localhost-ip could allow attackers to perform Server-Side Request Forgery (SSRF).<br /> This issue affects is-localhost-ip: 2.0.0.
Severity CVSS v4.0: MEDIUM
Last modification:
22/09/2025

CVE-2025-59587
Publication date:
22/09/2025
Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in PenciDesign Penci Shortcodes &amp; Performance allows DOM-Based XSS. This issue affects Penci Shortcodes &amp; Performance: from n/a through n/a.
Severity CVSS v4.0: Pending analysis
Last modification:
22/09/2025

CVE-2025-59588
Publication date:
22/09/2025
Improper Control of Filename for Include/Require Statement in PHP Program (&amp;#39;PHP Remote File Inclusion&amp;#39;) vulnerability in PenciDesign Soledad allows PHP Local File Inclusion. This issue affects Soledad: from n/a through 8.6.8.
Severity CVSS v4.0: Pending analysis
Last modification:
22/09/2025

CVE-2025-59589
Publication date:
22/09/2025
Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in PenciDesign Soledad allows DOM-Based XSS. This issue affects Soledad: from n/a through 8.6.8.
Severity CVSS v4.0: Pending analysis
Last modification:
22/09/2025

CVE-2025-59590
Publication date:
22/09/2025
Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in David Lingren Media Library Assistant allows Stored XSS. This issue affects Media Library Assistant: from n/a through 3.28.
Severity CVSS v4.0: Pending analysis
Last modification:
22/09/2025

CVE-2025-59591
Publication date:
22/09/2025
Missing Authorization vulnerability in AdvancedCoding wpDiscuz allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects wpDiscuz: from n/a through 7.6.33.
Severity CVSS v4.0: Pending analysis
Last modification:
22/09/2025

CVE-2025-59592
Publication date:
22/09/2025
Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in Fernando Acosta Make Column Clickable Elementor allows Stored XSS. This issue affects Make Column Clickable Elementor: from n/a through 1.6.0.
Severity CVSS v4.0: Pending analysis
Last modification:
22/09/2025
Subscribe to Vulnerabilities