Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-49618

Publication date:

03/07/2025

In Plesk Obsidian 18.0.69, unauthenticated requests to /login_up.php can reveal an AWS accessKeyId, secretAccessKey, region, and endpoint.

Severity CVSS v4.0: Pending analysis

Last modification:

15/04/2026

CVE-2025-49032

Publication date:

03/07/2025

Improper Neutralization of Input During Web Page Generation (&#39;Cross-site Scripting&#39;) vulnerability in PublishPress Gutenberg Blocks advanced-gutenberg allows Stored XSS.This issue affects Gutenberg Blocks: from n/a through

Severity CVSS v4.0: Pending analysis

Last modification:

23/04/2026

CVE-2025-3702

Publication date:

03/07/2025

Missing Authorization vulnerability in Melapress Melapress File Monitor website-file-changes-monitor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Melapress File Monitor: from n/a through

Severity CVSS v4.0: Pending analysis

Last modification:

23/04/2026

CVE-2025-2537

Publication date:

03/07/2025

Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin&#39;s bundled ThickBox JavaScript library (version 3.1) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Severity CVSS v4.0: Pending analysis

Last modification:

15/04/2026

CVE-2025-6563

Publication date:

03/07/2025

A cross-site scripting vulnerability is present in the hotspot of MikroTik&#39;s RouterOS on versions below 7.19.2. An attacker can inject the `javascript` protocol in the `dst` parameter. When the victim browses to the malicious URL and logs in, the XSS executes. The POST request used to login, can also be converted to a GET request, allowing an attacker to send a specifically crafted URL that automatically logs in the victim (into the attacker&#39;s account) and triggers the payload.

Severity CVSS v4.0: MEDIUM

Last modification:

15/04/2026

CVE-2025-27460

Publication date:

03/07/2025

The hard drives of the device are not encrypted using a full volume encryption feature such as BitLocker. This allows an attacker with physical access to the device to use an alternative operating system to interact with the hard drives, completely circumventing the Windows login. The attacker can read from and write to all files on the hard drives.

Severity CVSS v4.0: Pending analysis

Last modification:

06/02/2026

CVE-2025-27461

Publication date:

03/07/2025

During startup, the device automatically logs in the EPC2 Windows user without requesting a password.

Severity CVSS v4.0: Pending analysis

Last modification:

06/02/2026

CVE-2025-27459

Publication date:

03/07/2025

The VNC application stores its passwords encrypted within the registry but uses DES for encryption. As DES is broken, the original passwords can be recovered.

Severity CVSS v4.0: Pending analysis

Last modification:

29/01/2026

CVE-2025-2540

Publication date:

03/07/2025

Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin&#39;s bundled prettyPhoto library (version 3.1.6) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Severity CVSS v4.0: Pending analysis

Last modification:

15/04/2026

CVE-2025-40722

Publication date:

03/07/2025

Stored Cross-Site Scripting (XSS) vulnerability in versions prior to Flatboard 3.2.2 of Flatboard Pro, consisting of a stored XSS due to lack of proper validation of user input, through the replace parameter in /config.php/tags.

Severity CVSS v4.0: MEDIUM

Last modification:

15/04/2026

CVE-2025-40723

Publication date:

03/07/2025

Severity CVSS v4.0: MEDIUM

Last modification:

15/04/2026

CVE-2025-27452

Publication date:

03/07/2025

The configuration of the Apache httpd webserver which serves the MEAC300-FNADE4 web application, is partly insecure. There are modules activated that are not required for the operation of the FNADE4 web application. The functionality of the some modules <br /> <br /> pose a risk to the webserver which enable dircetory listing.

Severity CVSS v4.0: Pending analysis

Last modification:

06/02/2026

Subscribe to Vulnerabilities