Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-3833
Publication date:
14/05/2025
Zohocorp ManageEngine ADSelfService Plus versions 6513 and prior are vulnerable to authenticated SQL injection in the MFA reports.
Severity CVSS v4.0: Pending analysis
Last modification:
30/09/2025

CVE-2025-26864
Publication date:
14/05/2025
Exposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File vulnerability in the OpenIdAuthorizer of Apache IoTDB.<br /> <br /> This issue affects Apache IoTDB: from 0.10.0 through 1.3.3, from 2.0.1-beta before 2.0.2.<br /> <br /> Users are recommended to upgrade to version 1.3.4 and 2.0.2, which fix the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
01/07/2025

CVE-2025-26795
Publication date:
14/05/2025
Exposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File vulnerability in Apache IoTDB JDBC driver.<br /> <br /> This issue affects iotdb-jdbc: from 0.10.0 through 1.3.3, from 2.0.1-beta before 2.0.2.<br /> <br /> Users are recommended to upgrade to version 2.0.2 and 1.3.4, which fix the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
11/07/2025

CVE-2024-24780
Publication date:
14/05/2025
Remote Code Execution with untrusted URI of UDF vulnerability in Apache IoTDB. The attacker who has privilege to create UDF can register malicious function from untrusted URI.<br /> <br /> This issue affects Apache IoTDB: from 1.0.0 before 1.3.4.<br /> <br /> Users are recommended to upgrade to version 1.3.4, which fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
01/07/2025

CVE-2025-2875
Publication date:
14/05/2025
CWE-610: Externally Controlled Reference to a Resource in Another Sphere vulnerability exists that could<br /> cause a loss of confidentiality when an unauthenticated attacker manipulates controller’s webserver URL to<br /> access resources.
Severity CVSS v4.0: HIGH
Last modification:
15/04/2026

CVE-2024-8988
Publication date:
14/05/2025
The PeepSo Core: File Uploads plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.4.6.0 via the file_download REST API endpoint due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to download files uploaded by others users and expose potentially sensitive information.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2024-13940
Publication date:
14/05/2025
The Ninja Forms Webhooks plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.0.7 via the form webhook functionality. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2024-52290
Publication date:
14/05/2025
LF Edge eKuiper is a lightweight internet of things (IoT) data analytics and stream processing engine. Prior to version 2.1.0 user with rights to modificate the service (e.g. kuiperUser role) can inject a cross-site scripting payload into Connection Configuration key `Name` (`confKey`) parameter. After this setup, when any user with access to this service (e.g. admin) tries to delete this key, a payload acts in the victim&amp;#39;s browser. Version 2.1.0 fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
11/07/2025

CVE-2025-0020
Publication date:
14/05/2025
Rejected reason: “This CVE ID is Rejected and will not be used. As the CNA of record ESRI has rejected this CVE as it is not a vulnerability”
Severity CVSS v4.0: HIGH
Last modification:
19/05/2025

CVE-2025-47897
Publication date:
14/05/2025
Rejected reason: Not used
Severity CVSS v4.0: Pending analysis
Last modification:
14/05/2025

CVE-2025-47898
Publication date:
14/05/2025
Rejected reason: Not used
Severity CVSS v4.0: Pending analysis
Last modification:
14/05/2025

CVE-2025-47899
Publication date:
14/05/2025
Rejected reason: Not used
Severity CVSS v4.0: Pending analysis
Last modification:
14/05/2025
Subscribe to Vulnerabilities