Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-0249
Publication date:
25/07/2025
HCL IEM is affected by an improper invalidation of access or JWT token vulnerability.  A token was not invalidated which may allow attackers to access sensitive data without authorization.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2025

CVE-2025-0250
Publication date:
25/07/2025
HCL IEM is affected by an authorization token sent in cookie vulnerability.  A token used for authentication and authorization is being handled in a manner that may increase its exposure to security risks.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2025

CVE-2025-7742
Publication date:
25/07/2025
An authentication vulnerability exists in the LG Innotek camera model LNV5110R firmware that allows a malicious actor to upload an HTTP POST request to the devices non-volatile storage. This action may result in remote code execution that allows an attacker to run arbitrary commands on the target device at the administrator privilege level.
Severity CVSS v4.0: HIGH
Last modification:
25/07/2025

CVE-2025-22165
Publication date:
24/07/2025
This Medium severity ACE (Arbitrary Code Execution) vulnerability was introduced in version 4.2.8 of Sourcetree for Mac.<br /> <br /> This ACE (Arbitrary Code Execution) vulnerability, with a CVSS Score of 5.9, allows a locally authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires user interaction. <br /> <br /> Atlassian recommends that Sourcetree for Mac users upgrade to the latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions. See the release notes https://www.sourcetreeapp.com/download-archives .<br /> <br /> You can download the latest version of Sourcetree for Mac from the download center https://www.sourcetreeapp.com/download-archives .<br /> <br /> This vulnerability was found through the Atlassian Bug Bounty Program by Karol Mazurek (AFINE).
Severity CVSS v4.0: MEDIUM
Last modification:
30/07/2025

CVE-2025-32429
Publication date:
24/07/2025
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, it&amp;#39;s possible for anyone to inject SQL using the parameter sort of the getdeleteddocuments.vm. It&amp;#39;s injected as is as an ORDER BY value. This is fixed in versions 16.10.6 and 17.3.0-rc-1.
Severity CVSS v4.0: CRITICAL
Last modification:
03/09/2025

CVE-2025-53940
Publication date:
24/07/2025
Quiet is an alternative to team chat apps like Slack, Discord, and Element that does not require trusting a central server or running one&amp;#39;s own. In versions 6.1.0-alpha.4 and below, Quiet&amp;#39;s API for backend/frontend communication was using an insecure, not constant-time comparison function for token verification. This allowed for a potential timing attack where an attacker would try different token values and observe tiny differences in the response time (wrong characters fail faster) to guess the whole token one character at a time. This is fixed in version 6.0.1.
Severity CVSS v4.0: HIGH
Last modification:
25/07/2025

CVE-2025-54379
Publication date:
24/07/2025
LF Edge eKuiper is a lightweight IoT data analytics and stream processing engine running on resource-constraint edge devices. In versions before 2.2.1, there is a critical SQL Injection vulnerability in the getLast API functionality of the eKuiper project. This flaw allows unauthenticated remote attackers to execute arbitrary SQL statements on the underlying SQLite database by manipulating the table name input in an API request. Exploitation can lead to data theft, corruption, or deletion, and full database compromise. This is fixed in version 2.2.1.
Severity CVSS v4.0: HIGH
Last modification:
10/10/2025

CVE-2025-3614
Publication date:
24/07/2025
The ElementsKit Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the URL attribute of a custom widget in all versions up to, and including, 3.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
28/07/2025

CVE-2025-54369
Publication date:
24/07/2025
Node-SAML is a SAML library not dependent on any frameworks that runs in Node. In versions 5.0.1 and below, Node-SAML loads the assertion from the (unsigned) original response document. This is different than the parts that are verified when checking signature. This allows an attacker to modify authentication details within a valid SAML assertion. For example, in one attack it is possible to remove any character from the SAML assertion username. This issue is fixed in version 5.1.0.
Severity CVSS v4.0: CRITICAL
Last modification:
15/12/2025

CVE-2025-6260
Publication date:
24/07/2025
The embedded web server on the thermostat listed version ranges contain a vulnerability that allows unauthenticated attackers, either on the local area network or from the Internet via a router with port forwarding set up, to gain direct access to the thermostat&amp;#39;s embedded web server and reset user credentials by manipulating specific elements of the embedded web interface.
Severity CVSS v4.0: CRITICAL
Last modification:
25/07/2025

CVE-2025-8123
Publication date:
24/07/2025
A vulnerability was found in deerwms deer-wms-2 up to 3.3. It has been classified as critical. Affected is an unknown function of the file /system/dept/edit. The manipulation of the argument ancestors leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
28/08/2025

CVE-2025-7404
Publication date:
24/07/2025
Improper Neutralization of Special Elements used in an OS Command (&amp;#39;OS Command Injection&amp;#39;) vulnerability in Calibre Web, Autocaliweb allows Blind OS Command Injection.This issue affects Calibre Web: 0.6.24 (Nicolette); Autocaliweb: from 0.7.0 before 0.7.1.
Severity CVSS v4.0: MEDIUM
Last modification:
16/01/2026
Subscribe to Vulnerabilities