Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-4322
Publication date:
20/05/2025
The Motors theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.6.67. This is due to the theme not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user passwords, including those of administrators, and leverage that to gain access to their account.
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2025

CVE-2025-3079
Publication date:
20/05/2025
A passback vulnerability which relates to office/small office multifunction printers and laser printers.
Severity CVSS v4.0: MEDIUM
Last modification:
21/05/2025

CVE-2025-4971
Publication date:
20/05/2025
Broadcom Automic<br /> Automation Agent Unix versions
Severity CVSS v4.0: HIGH
Last modification:
21/05/2025

CVE-2025-3078
Publication date:
20/05/2025
A passback vulnerability which relates to production printers and office multifunction printers.
Severity CVSS v4.0: MEDIUM
Last modification:
21/05/2025

CVE-2025-1308
Publication date:
19/05/2025
A vulnerability exists in PX Backup whereby sensitive information may be logged under specific conditions.
Severity CVSS v4.0: HIGH
Last modification:
21/05/2025

CVE-2025-3223
Publication date:
19/05/2025
Improper Limitation of a Pathname to a Restricted Directory (&amp;#39;Path Traversal&amp;#39;) vulnerability in GE Vernova WorkstationST on Windows (EGD Configuration Server modules) allows Path Traversal.This issue affects WorkstationST: WorkstationST V07.10.10C and earlier.
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2025

CVE-2025-48340
Publication date:
19/05/2025
Cross-Site Request Forgery (CSRF) vulnerability in Danny Vink User Profile Meta Manager user-profile-meta allows Privilege Escalation.This issue affects User Profile Meta Manager: from n/a through
Severity CVSS v4.0: Pending analysis
Last modification:
01/04/2026

CVE-2025-47944
Publication date:
19/05/2025
Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability that is present starting in version 1.4.4-lts.1 and prior to version 2.0.0 allows an attacker to trigger a Denial of Service (DoS) by sending a malformed multi-part upload request. This request causes an unhandled exception, leading to a crash of the process. Users should upgrade to version 2.0.0 to receive a patch. No known workarounds are available.
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2025

CVE-2025-47946
Publication date:
19/05/2025
Symfony UX is an initiative and set of libraries to integrate JavaScript tools into applications. Prior to version 2.25.1, rendering `{{ attributes }}` or using any method that returns a `ComponentAttributes` instance (e.g. `only()`, `defaults()`, `without()`) ouputs attribute values directly without escaping. If these values are unsafe (e.g. contain user input), this can lead to HTML attribute injection and XSS vulnerabilities. The issue is fixed in version `2.25.1` of `symfony/ux-twig-component` Those who use `symfony/ux-live-component` must also update it to `2.25.1` to benefit from the fix, as it reuses the `ComponentAttributes` class internally. As a workaround, avoid rendering `{{ attributes }}` or derived objects directly if it may contain untrusted values.<br /> Instead, use `{{ attributes.render(&amp;#39;name&amp;#39;) }}` for safe output of individual attributes.
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2025

CVE-2025-47949
Publication date:
19/05/2025
samlify is a Node.js library for SAML single sign-on. A Signature Wrapping attack has been found in samlify prior to version 2.10.0, allowing an attacker to forge a SAML Response to authenticate as any user. An attacker would need a signed XML document by the identity provider. Version 2.10.0 fixes the issue.
Severity CVSS v4.0: CRITICAL
Last modification:
19/09/2025

CVE-2025-47935
Publication date:
19/05/2025
Multer is a node.js middleware for handling `multipart/form-data`. Versions prior to 2.0.0 are vulnerable to a resource exhaustion and memory leak issue due to improper stream handling. When the HTTP request stream emits an error, the internal `busboy` stream is not closed, violating Node.js stream safety guidance. This leads to unclosed streams accumulating over time, consuming memory and file descriptors. Under sustained or repeated failure conditions, this can result in denial of service, requiring manual server restarts to recover. All users of Multer handling file uploads are potentially impacted. Users should upgrade to 2.0.0 to receive a patch. No known workarounds are available.
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2025

CVE-2025-46441
Publication date:
19/05/2025
Path Traversal: &amp;#39;.../...//&amp;#39; vulnerability in ctltwp Section Widget section-widget allows Path Traversal.This issue affects Section Widget: from n/a through
Severity CVSS v4.0: Pending analysis
Last modification:
01/04/2026
Subscribe to Vulnerabilities