Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-3518
Publication date:
22/04/2025
It technically possible for a user to upload a file to a conversation despite the file upload functionality being disabled.<br /> <br /> The file upload functionality can be enabled or disabled for specific use cases through configuration. In case the functionality is disabled for at least one use case, the system nevertheless allows files to be uploaded through direct API requests. During the upload file, interception and allowed file type rules are still applied correctly.<br /> <br /> If file sharing is generally enabled, this issue is not of concern.
Severity CVSS v4.0: MEDIUM
Last modification:
23/06/2025

CVE-2025-3519
Publication date:
22/04/2025
An authorization bypass in Unblu Spark allows a participant of a conversation to replace an existing, uploaded file.<br /> <br /> Every uploaded file in Unblu gets assigned with a randomly generated Universally Unique ID (UUID). In case a participant of this or another conversation gets access to such a file ID, it can be used to replace the file without changing the file name and details or the name of the user who uploaded the file. During the upload, file interception and allowed file type rules are still applied correctly.
Severity CVSS v4.0: HIGH
Last modification:
23/04/2025

CVE-2025-26413
Publication date:
22/04/2025
Improper Input Validation vulnerability in Apache Kvrocks.<br /> <br /> The SETRANGE command didn&amp;#39;t check if the `offset` input is a positive integer and use it as an index<br /> of a string. So it will cause the server to crash due to its index is  out of range.<br /> This issue affects Apache Kvrocks: through 2.11.1.<br /> <br /> Users are recommended to upgrade to version 2.12.0, which fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
23/06/2025

CVE-2025-3814
Publication date:
22/04/2025
The Tax Switch for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘class-name’ parameter in all versions up to, and including, 1.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
23/04/2025

CVE-2025-2839
Publication date:
22/04/2025
The WP Import Export Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wpiePreviewData’ function in all versions up to, and including, 3.9.27 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
07/08/2025

CVE-2024-13569
Publication date:
22/04/2025
The Front End Users WordPress plugin through 3.2.32 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
Severity CVSS v4.0: Pending analysis
Last modification:
07/05/2025

CVE-2025-2594
Publication date:
22/04/2025
The User Registration &amp; Membership WordPress plugin before 4.1.3 does not properly validate data in an AJAX action when the Membership Addon is enabled, allowing attackers to authenticate as any user, including administrators, by simply using the target account&amp;#39;s user ID.
Severity CVSS v4.0: Pending analysis
Last modification:
30/09/2025

CVE-2024-46899
Publication date:
22/04/2025
Hitachi Ops Center Common Services within Hitachi Ops Center Analyzer viewpoint OVF contains an authentication credentials leakage vulnerability.This issue affects Hitachi Ops Center Common Services: from 10.0.0-00 before 11.0.0-04; Hitachi Ops Center Analyzer viewpoint OVF: from 10.0.0-00 before 11.0.0-04.
Severity CVSS v4.0: Pending analysis
Last modification:
23/04/2025

CVE-2025-2300
Publication date:
22/04/2025
Hitachi Ops Center Common Services within Hitachi Ops Center OVA contains an information exposure vulnerability.<br /> This issue affects Hitachi Ops Center Common Services: from 11.0.3-00 before 11.0.4-00.
Severity CVSS v4.0: Pending analysis
Last modification:
23/04/2025

CVE-2025-3616
Publication date:
22/04/2025
The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the gspb_make_proxy_api_request() function in versions 11.4 to 11.4.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site&amp;#39;s server which may make remote code execution possible. The arbitrary file upload was sufficiently patched in 11.4.5, but a capability check was added in 11.4.6 to properly prevent unauthorized limited file uploads.
Severity CVSS v4.0: Pending analysis
Last modification:
28/05/2025

CVE-2025-1731
Publication date:
22/04/2025
An incorrect permission assignment vulnerability in the PostgreSQL commands of the Zyxel USG FLEX H series uOS firmware versions from V1.20 through V1.31 could allow an authenticated local attacker with low privileges to gain access to the Linux shell and escalate their privileges by crafting malicious scripts or modifying system configurations with administrator-level access through a stolen token. Modifying the system configuration is only possible if the administrator has not logged out and the token remains valid.
Severity CVSS v4.0: Pending analysis
Last modification:
30/10/2025

CVE-2025-1732
Publication date:
22/04/2025
An improper privilege management vulnerability in the recovery function of the Zyxel USG FLEX H series uOS firmware version V1.31 and earlier could allow an authenticated local attacker with administrator privileges to upload a crafted configuration file and escalate privileges on a vulnerable device.
Severity CVSS v4.0: Pending analysis
Last modification:
30/10/2025
Subscribe to Vulnerabilities