Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-42603
Publication date:
23/04/2025
This vulnerability exists in the Meon KYC solutions due to transmission of sensitive data in plain text within the response payloads of certain API endpoints. An authenticated remote attacker could exploit this vulnerability by intercepting API response that contains unencrypted sensitive information belonging to other users.<br /> <br /> Successful exploitation of this vulnerability could allow remote attacker to impersonate the target user and gain unauthorized access to the user account.
Severity CVSS v4.0: HIGH
Last modification:
23/04/2025

CVE-2025-42604
Publication date:
23/04/2025
This vulnerability exists in Meon KYC solutions due to debug mode is enabled in certain API endpoints. A remote attacker could exploit this vulnerability by accessing certain unauthorized API endpoints leading to detailed error messages as response leading to disclosure of system related information.
Severity CVSS v4.0: MEDIUM
Last modification:
23/04/2025

CVE-2025-42605
Publication date:
23/04/2025
This vulnerability exists in Meon Bidding Solutions due to improper authorization controls on certain API endpoints for the initiation, modification, or cancellation operations. An authenticated remote attacker could exploit this vulnerability by manipulating parameter in the API request body to gain unauthorized access to other user accounts.<br /> <br /> Successful exploitation of this vulnerability could allow remote attacker to perform authorized manipulation of data associated with other user accounts.
Severity CVSS v4.0: CRITICAL
Last modification:
23/04/2025

CVE-2025-42600
Publication date:
23/04/2025
This vulnerability exists in Meon KYC solutions due to missing restrictions on the number of incorrect One-Time Password (OTP) attempts through certain API endpoints of login process. A remote attacker could exploit this vulnerability by performing a brute force attack on OTP, which could lead to gain unauthorized access to other user accounts.
Severity CVSS v4.0: HIGH
Last modification:
23/04/2025

CVE-2025-42601
Publication date:
23/04/2025
This vulnerability exists in Meon KYC solutions due to insufficient server-side validation of the Captcha in certain API endpoints. A remote attacker could exploit this vulnerability by intercepting the request and removing the Captcha parameter leading to bypassing the Captcha verification mechanism.
Severity CVSS v4.0: HIGH
Last modification:
23/04/2025

CVE-2025-42602
Publication date:
23/04/2025
This vulnerability exists in Meon KYC solutions due to improper handling of access and refresh tokens in certain API endpoints of authentication process. A remote attacker could exploit this vulnerability by intercepting and manipulating the responses through API request body leading to unauthorized access of other user accounts.
Severity CVSS v4.0: HIGH
Last modification:
23/04/2025

CVE-2025-1054
Publication date:
23/04/2025
The UiCore Elements – Free Elementor widgets and templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the UI Counter, UI Icon Box, UI Testimonial Slider, UI Testimonial Grid, and UI Testimonial Carousel widgets in all versions up to, and including, 1.0.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
23/04/2025

CVE-2024-10306
Publication date:
23/04/2025
A vulnerability was found in mod_proxy_cluster. The issue is that the directive should be replaced by the directive as the former does not restrict IP/host access as `Require ip IP_ADDRESS` would suggest. This means that anyone with access to the host might send MCMP requests that may result in adding/removing/updating nodes for the balancing. However, this host should not be accessible to the public network as it does not serve the general traffic.
Severity CVSS v4.0: Pending analysis
Last modification:
01/07/2025

CVE-2025-2595
Publication date:
23/04/2025
An unauthenticated remote attacker can bypass the user management in CODESYS Visualization and read visualization template files or static elements by means of forced browsing.
Severity CVSS v4.0: Pending analysis
Last modification:
23/04/2025

CVE-2025-3529
Publication date:
23/04/2025
The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.1.2 via the &amp;#39;file_url&amp;#39; parameter. This makes it possible for unauthenticated attackers to view potentially sensitive information and download a digital product without paying for it.
Severity CVSS v4.0: Pending analysis
Last modification:
23/04/2025

CVE-2025-3530
Publication date:
23/04/2025
The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to product price manipulation in all versions up to, and including, 5.1.2. This is due to a logic flaw involving the inconsistent use of parameters during the cart addition process. The plugin uses the parameter &amp;#39;product_tmp_two&amp;#39; for computing a security hash against price tampering while using &amp;#39;wspsc_product&amp;#39; to display the product, allowing an unauthenticated attacker to substitute details from a cheaper product and bypass payment for a more expensive item.
Severity CVSS v4.0: Pending analysis
Last modification:
23/04/2025

CVE-2025-0618
Publication date:
23/04/2025
A malicious third party could invoke a persistent denial of service vulnerability in FireEye EDR agent by sending a specially-crafted tamper protection event to the HX service to trigger an exception. This exception will prevent any further tamper protection events from being processed, even after a reboot of HX.
Severity CVSS v4.0: Pending analysis
Last modification:
23/04/2025
Subscribe to Vulnerabilities