Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-21846
Publication date:
12/03/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> acct: perform last write from workqueue<br /> <br /> In [1] it was reported that the acct(2) system call can be used to<br /> trigger NULL deref in cases where it is set to write to a file that<br /> triggers an internal lookup. This can e.g., happen when pointing acc(2)<br /> to /sys/power/resume. At the point the where the write to this file<br /> happens the calling task has already exited and called exit_fs(). A<br /> lookup will thus trigger a NULL-deref when accessing current-&gt;fs.<br /> <br /> Reorganize the code so that the the final write happens from the<br /> workqueue but with the caller&amp;#39;s credentials. This preserves the<br /> (strange) permission model and has almost no regression risk.<br /> <br /> This api should stop to exist though.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2024-13446
Publication date:
12/03/2025
The Workreap plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.2.5. This is due to the plugin not properly validating a user&amp;#39;s identity prior to (1) performing a social auto-login or (2) updating their profile details (e.g. password). This makes it possible for unauthenticated attackers to (1) login as an arbitrary user if their email address is known or (2) change an arbitrary user&amp;#39;s password, including administrators, and leverage that to gain access to their account. NOTE: This vulnerability was partially fixed in version 3.2.5.
Severity CVSS v4.0: Pending analysis
Last modification:
02/04/2025

CVE-2024-13430
Publication date:
12/03/2025
The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.9.8 via the &amp;#39;pagelayer_builder_posts_shortcode&amp;#39; function due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private posts that they should not have access to.
Severity CVSS v4.0: Pending analysis
Last modification:
02/04/2025

CVE-2024-58087
Publication date:
12/03/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ksmbd: fix racy issue from session lookup and expire<br /> <br /> Increment the session reference count within the lock for lookup to avoid<br /> racy issue with session expire.
Severity CVSS v4.0: Pending analysis
Last modification:
01/10/2025

CVE-2024-13838
Publication date:
12/03/2025
The Uncanny Automator – Easy Automation, Integration, Webhooks &amp; Workflow Builder Plugin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.2 via the &amp;#39;call_webhook&amp;#39; method of the Automator_Send_Webhook class This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Severity CVSS v4.0: Pending analysis
Last modification:
02/04/2025

CVE-2024-12589
Publication date:
12/03/2025
The Finale Lite – Sales Countdown Timer &amp; Discount for WooCommerce plugin for WordPress is vulnerable to Stored DOM-Based Cross-Site Scripting via the countdown timer in all versions up to, and including, 2.19.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
02/04/2025

CVE-2024-13498
Publication date:
12/03/2025
The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 8.8.1 via file uploads due to insufficient directory listing prevention and lack of randomization of file names. This makes it possible for unauthenticated attackers to extract sensitive data including files uploaded via a form.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-24912
Publication date:
12/03/2025
hostapd fails to process crafted RADIUS packets properly. When hostapd authenticates wi-fi devices with RADIUS authentication, an attacker in the position between the hostapd and the RADIUS server may inject crafted RADIUS packets and force RADIUS authentications to fail.
Severity CVSS v4.0: Pending analysis
Last modification:
24/10/2025

CVE-2025-2077
Publication date:
12/03/2025
The Simple Amazon Affiliate plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the &amp;#39;msg&amp;#39; parameter in all versions up to, and including, 1.0.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity CVSS v4.0: Pending analysis
Last modification:
02/04/2025

CVE-2025-2078
Publication date:
12/03/2025
The BlogBuzzTime for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Severity CVSS v4.0: Pending analysis
Last modification:
02/04/2025

CVE-2025-2205
Publication date:
12/03/2025
The GDPR Cookie Compliance – Cookie Banner, Cookie Consent, Cookie Notice – CCPA, DSGVO, RGPD plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.15.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Severity CVSS v4.0: Pending analysis
Last modification:
08/07/2025

CVE-2025-2076
Publication date:
12/03/2025
The binlayerpress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Severity CVSS v4.0: Pending analysis
Last modification:
07/04/2025
Subscribe to Vulnerabilities