Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-12558
Publication date:
09/12/2025
The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.9.4 via the 'get_attachment_sizes' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including the path and meta data of private attachments, which can be used to view the attachments.
Severity CVSS v4.0: Pending analysis
Last modification:
11/12/2025

CVE-2025-12504
Publication date:
09/12/2025
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Talent Software UNIS allows SQL Injection.This issue affects UNIS: before 42321.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-12705
Publication date:
09/12/2025
The Social Reviews & Recommendations plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in the 'trim_text' function in all versions up to, and including, 2.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 2.5.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-12807
Publication date:
09/12/2025
A security issue was discovered in DataMosaix Private Cloud, allowing users with low privilege to perform sensitive database operations through exposed API endpoints.
Severity CVSS v4.0: HIGH
Last modification:
15/04/2026

CVE-2025-13031
Publication date:
09/12/2025
The WPeMatico RSS Feed Fetcher WordPress plugin before 2.8.13 does not sanitize and escape some of its settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-12381
Publication date:
09/12/2025
Improper Privilege Management vulnerability in AlgoSec Firewall Analyzer on Linux, 64 bit allows Privilege Escalation, Parameter Injection.<br /> <br /> A local user with access to the command line may escalate their privileges by abusing the parameters of a command that is approved in the sudoers file. <br /> This issue affects Firewall Analyzer: A33.0, A33.10.
Severity CVSS v4.0: MEDIUM
Last modification:
17/12/2025

CVE-2025-10876
Publication date:
09/12/2025
Improper Neutralization of Input During Web Page Generation (XSS or &amp;#39;Cross-site Scripting&amp;#39;) vulnerability in Talent Software e-BAP Automation allows Cross-Site Scripting (XSS).This issue affects e-BAP Automation: from 1.8.96 before v.41815.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-11022
Publication date:
09/12/2025
Cross-Site Request Forgery (CSRF) vulnerability in Personal Project Panilux allows Cross Site Request Forgery. <br /> <br /> This <br /> <br /> CSRF vulnerability resulting in Command Injection has been identified.<br /> <br /> <br /> <br /> This issue affects Panilux: before v.0.10.0. NOTE: The vendor was contacted and responded that they deny ownership of the mentioned product.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-10655
Publication date:
09/12/2025
SQL Injection in Frappe HelpDesk in the dashboard get_dashboard_data due to unsafe concatenation of user-controlled parameters into dynamic SQL statements.This issue affects Frappe HelpDesk: 1.14.0.
Severity CVSS v4.0: HIGH
Last modification:
14/04/2026

CVE-2025-10573
Publication date:
09/12/2025
Stored XSS in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote unauthenticated attacker to execute arbitrary JavaScript in the context of an administrator session. User interaction is required.
Severity CVSS v4.0: Pending analysis
Last modification:
11/12/2025

CVE-2024-56838
Publication date:
09/12/2025
A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions
Severity CVSS v4.0: HIGH
Last modification:
13/01/2026

CVE-2024-56839
Publication date:
09/12/2025
A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions
Severity CVSS v4.0: HIGH
Last modification:
13/01/2026
Subscribe to Vulnerabilities