Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-12862
Publication date:
07/11/2025
A vulnerability was identified in projectworlds Online Notes Sharing Platform 1.0. Affected by this issue is some unknown functionality of the file /dashboard/userprofile.php. Such manipulation of the argument image leads to unrestricted upload. The attack may be performed from remote. The exploit is publicly available and might be used.
Severity CVSS v4.0: LOW
Last modification:
29/04/2026

CVE-2025-63686
Publication date:
07/11/2025
There is an arbitrary file download vulnerability in GuoMinJim PersonManage thru commit 5a02b1ab208feacf3a34fc123c9381162afbaa95 (2020-11-23) in the document query function under the Download Center menu in the PersonManage system.
Severity CVSS v4.0: Pending analysis
Last modification:
04/02/2026

CVE-2025-63783
Publication date:
07/11/2025
A Broken Object Level Authorization (BOLA) vulnerability was discovered in the tRPC project mutation APIs (update, delete, add/remove tag) of the Onlook web application 0.2.32. The vulnerability exists because the API fails to verify the ownership or membership of the currently authenticated user for the requested project ID. An authenticated attacker can send a malicious request containing another user's project ID to unlawfully modify, delete, or manipulate tags on that project, which can severely compromise data integrity and availability.
Severity CVSS v4.0: Pending analysis
Last modification:
05/02/2026

CVE-2025-63689
Publication date:
07/11/2025
Multiple SQL injection vulnerabilitites in ycf1998 money-pos system before commit 11f276bd20a41f089298d804e43cb1c39d041e59 (2025-09-14) allows a remote attacker to execute arbitrary code via the orderby parameter
Severity CVSS v4.0: Pending analysis
Last modification:
05/02/2026

CVE-2025-63687
Publication date:
07/11/2025
An issue was discovered in rymcu forest thru commit f782e85 (2025-09-04) in function doBefore in file src/main/java/com/rymcu/forest/core/service/security/AuthorshipAspect.java, allowing authorized attackers to delete arbitrary users posts.
Severity CVSS v4.0: Pending analysis
Last modification:
21/01/2026

CVE-2025-63691
Publication date:
07/11/2025
In pig-mesh In Pig version 3.8.2 and below, within the Token Management function under the System Management module, the token query interface (/api/admin/sys-token/page) has an improper permission verification issue, which leads to information leakage. This interface can be called by any user who has completed login authentication, and it returns the plaintext authentication Tokens of all users currently logged in to the system. As a result, ordinary users can obtain the administrator's authentication Token through this interface, thereby forging an administrator account, gaining the system's management permissions, and taking over the system.
Severity CVSS v4.0: Pending analysis
Last modification:
08/12/2025

CVE-2025-63690
Publication date:
07/11/2025
In pig-mesh Pig versions 3.8.2 and below, when setting up scheduled tasks in the Quartz management function under the system management module, it is possible to execute any Java class with a parameterless constructor and its methods with parameter type String through reflection. At this time, the eval method in Tomcat's built-in class jakarta.el.ELProcessor can be used to execute commands, leading to a remote code execution vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
08/12/2025

CVE-2025-58469
Publication date:
07/11/2025
A cross-site request forgery (CSRF) vulnerability has been reported to affect QuLog Center. The remote attackers can then exploit the vulnerability to gain privileges or hijack user identities.<br /> <br /> We have already fixed the vulnerability in the following version:<br /> QuLog Center 1.8.2.927 ( 2025/09/17 ) and later
Severity CVSS v4.0: LOW
Last modification:
14/11/2025

CVE-2025-58464
Publication date:
07/11/2025
A relative path traversal vulnerability has been reported to affect QuMagie. If a remote attacker, they can then exploit the vulnerability to read the contents of unexpected files or system data.<br /> <br /> We have already fixed the vulnerability in the following version:<br /> QuMagie 2.7.3 and later
Severity CVSS v4.0: HIGH
Last modification:
14/11/2025

CVE-2025-58465
Publication date:
07/11/2025
A cross-site scripting (XSS) vulnerability has been reported to affect Download Station. If a remote attacker gains a user account, they can then exploit the vulnerability to bypass security mechanisms or read application data.<br /> <br /> We have already fixed the vulnerability in the following versions:<br /> Download Station 5.10.0.305 ( 2025/09/16 ) and later<br /> Download Station 5.10.0.304 ( 2025/09/08 ) and later
Severity CVSS v4.0: LOW
Last modification:
17/11/2025

CVE-2025-57706
Publication date:
07/11/2025
A cross-site scripting (XSS) vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to bypass security mechanisms or read application data.<br /> <br /> We have already fixed the vulnerability in the following version:<br /> File Station 5 5.5.6.5018 and later
Severity CVSS v4.0: LOW
Last modification:
14/11/2025

CVE-2025-57712
Publication date:
07/11/2025
A path traversal vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data.<br /> <br /> We have already fixed the vulnerability in the following version:<br /> Qsync Central 5.0.0.3 ( 2025/08/28 ) and later
Severity CVSS v4.0: MEDIUM
Last modification:
14/11/2025
Subscribe to Vulnerabilities