Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-46813
Publication date:
05/05/2025
Discourse is an open-source community platform. A data leak vulnerability affects sites deployed between commits 10df7fdee060d44accdee7679d66d778d1136510 and 82d84af6b0efbd9fa2aeec3e91ce7be1a768511b. On login-required sites, the leak meant that some content on the site's homepage could be visible to unauthenticated users. Only login-required sites that got deployed during this timeframe are affected, roughly between April 30 2025 noon EDT and May 2 2025, noon EDT. Sites on the stable branch are unaffected. Private content on an instance's homepage could be visible to unauthenticated users on login-required sites. Versions of 3.5.0.beta4 after commit 82d84af6b0efbd9fa2aeec3e91ce7be1a768511b are not vulnerable to the issue. No workarounds are available. Sites must upgrade to a non-vulnerable version of Discourse.
Severity CVSS v4.0: Pending analysis
Last modification:
26/09/2025

CVE-2025-4286
Publication date:
05/05/2025
A vulnerability was found in Intelbras InControl up to 2.21.59. It has been classified as problematic. Affected is an unknown function of the component Dispositivos Edição Page. The manipulation of the argument Senha de Comunicação leads to unprotected storage of credentials. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. According to the vendor this issue should be fixed in a later release.
Severity CVSS v4.0: MEDIUM
Last modification:
20/08/2025

CVE-2025-46734
Publication date:
05/05/2025
league/commonmark is a PHP Markdown parser. A cross-site scripting (XSS) vulnerability in the Attributes extension of the league/commonmark library (versions 1.5.0 through 2.6.x) allows remote attackers to insert malicious JavaScript calls into HTML. The league/commonmark library provides configuration options such as `html_input: 'strip'` and `allow_unsafe_links: false` to mitigate cross-site scripting (XSS) attacks by stripping raw HTML and disallowing unsafe links. However, when the Attributes Extension is enabled, it introduces a way for users to inject arbitrary HTML attributes into elements via Markdown syntax using curly braces. Version 2.7.0 contains three changes to prevent this XSS attack vector: All attributes starting with `on` are considered unsafe and blocked by default; support for an explicit allowlist of allowed HTML attributes; and manually-added `href` and `src` attributes now respect the existing `allow_unsafe_links` configuration option. If upgrading is not feasible, please consider disabling the `AttributesExtension` for untrusted users and/or filtering the rendered HTML through a library like HTMLPurifier.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-45609
Publication date:
05/05/2025
Incorrect access control in the doFilter function of kob latest v1.0.0-SNAPSHOT allows attackers to access sensitive information via a crafted payload.
Severity CVSS v4.0: Pending analysis
Last modification:
10/10/2025

CVE-2025-45610
Publication date:
05/05/2025
Incorrect access control in the component /scheduleLog/info/1 of PassJava-Platform v3.0.0 allows attackers to access sensitive information via a crafted payload.
Severity CVSS v4.0: Pending analysis
Last modification:
10/10/2025

CVE-2025-45611
Publication date:
05/05/2025
Incorrect access control in the /user/edit/ component of hope-boot v1.0.0 allows attackers to bypass authentication via a crafted GET request.
Severity CVSS v4.0: Pending analysis
Last modification:
14/10/2025

CVE-2025-45612
Publication date:
05/05/2025
Incorrect access control in xmall v1.1 allows attackers to bypass authentication via a crafted GET request to /index.
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2025

CVE-2025-45613
Publication date:
05/05/2025
Incorrect access control in the component /user/list of Shiro-Action v0.6 allows attackers to access sensitive information via a crafted payload.
Severity CVSS v4.0: Pending analysis
Last modification:
14/10/2025

CVE-2025-45614
Publication date:
05/05/2025
Incorrect access control in the component /api/user/manager of One v1.0 allows attackers to access sensitive information via a crafted payload.
Severity CVSS v4.0: Pending analysis
Last modification:
14/10/2025

CVE-2025-45615
Publication date:
05/05/2025
Incorrect access control in the /admin/ API of yaoqishan v0.0.1-SNAPSHOT allows attackers to gain access to Admin rights via a crafted request.
Severity CVSS v4.0: Pending analysis
Last modification:
17/10/2025

CVE-2025-45616
Publication date:
05/05/2025
Incorrect access control in the /admin/** API of brcc v1.2.0 allows attackers to gain access to Admin rights via a crafted request.
Severity CVSS v4.0: Pending analysis
Last modification:
17/10/2025

CVE-2025-45617
Publication date:
05/05/2025
Incorrect access control in the component /user/list of production_ssm v0.0.1-SNAPSHOT allows attackers to access sensitive information via a crafted payload.
Severity CVSS v4.0: Pending analysis
Last modification:
17/10/2025
Subscribe to Vulnerabilities