Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-11522
Publication date:
09/10/2025
The Search & Go - Directory WordPress Theme theme for WordPress is vulnerable to Authentication Bypass via account takeover in all versions up to, and including, 2.7. This is due to insufficient user validation in the search_and_go_elated_check_facebook_user() function This makes it possible for unauthenticated attackers to gain access to other user's accounts, including administrators, when Facebook login is enabled.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2025

CVE-2025-11539
Publication date:
09/10/2025
Grafana Image Renderer is vulnerable to remote code execution due to an arbitrary file write vulnerability. This is due to the fact that the /render/csv endpoint lacked validation of the filePath parameter that allowed an attacker to save a shared object to an arbitrary location that is then loaded by the Chromium process.<br /> <br /> Instances are vulnerable if:<br /> <br /> 1. The default token ("authToken") is not changed, or is known to the attacker.<br /> 2. The attacker can reach the image renderer endpoint.<br /> This issue affects grafana-image-renderer: from 1.0.0 through 4.0.16.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2025

CVE-2025-7634
Publication date:
09/10/2025
The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 6.6.7 via the mode parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2025

CVE-2025-7526
Publication date:
09/10/2025
The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to arbitrary file deletion (via renaming) due to insufficient file path validation in the set_user_profile_image function in all versions up to, and including, 6.6.7. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2025

CVE-2025-6038
Publication date:
09/10/2025
The Lisfinity Core - Lisfinity Core plugin used for pebas® Lisfinity WordPress theme plugin for WordPress is vulnerable to privilege escalation via password update in all versions up to, and including, 1.4.0. This is due to the plugin not properly validating a user&amp;#39;s identity prior to updating their password. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user&amp;#39;s passwords, including those of administrators.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2025

CVE-2025-47355
Publication date:
09/10/2025
Memory corruption while invoking remote procedure IOCTL calls.
Severity CVSS v4.0: Pending analysis
Last modification:
05/11/2025

CVE-2025-47354
Publication date:
09/10/2025
Memory corruption while allocating buffers in DSP service.
Severity CVSS v4.0: Pending analysis
Last modification:
05/11/2025

CVE-2025-47351
Publication date:
09/10/2025
Memory corruption while processing user buffers.
Severity CVSS v4.0: Pending analysis
Last modification:
05/11/2025

CVE-2025-47349
Publication date:
09/10/2025
Memory corruption while processing an escape call.
Severity CVSS v4.0: Pending analysis
Last modification:
05/11/2025

CVE-2025-47342
Publication date:
09/10/2025
Transient DOS may occur when multi-profile concurrency arises with QHS enabled.
Severity CVSS v4.0: Pending analysis
Last modification:
21/10/2025

CVE-2025-47347
Publication date:
09/10/2025
Memory corruption while processing control commands in the virtual memory management interface.
Severity CVSS v4.0: Pending analysis
Last modification:
21/10/2025

CVE-2025-47341
Publication date:
09/10/2025
memory corruption while processing an image encoding completion event.
Severity CVSS v4.0: Pending analysis
Last modification:
05/11/2025
Subscribe to Vulnerabilities