Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-62294
Publication date:
20/11/2025
SOPlanning is vulnerable to Predictable Generation of Password Recovery Token. Due to weak mechanism of generating recovery tokens, a malicious attacker is able to brute-force all possible values and takeover any account in reasonable amount of time.<br /> <br /> This issue was fixed in version 1.55.
Severity CVSS v4.0: HIGH
Last modification:
20/11/2025

CVE-2025-62295
Publication date:
20/11/2025
SOPlanning is vulnerable to Stored XSS in /groupe_form endpoint. Malicious attacker with medium privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when opening editor.<br /> <br /> This issue was fixed in version 1.55.
Severity CVSS v4.0: MEDIUM
Last modification:
20/11/2025

CVE-2025-62296
Publication date:
20/11/2025
SOPlanning is vulnerable to Stored XSS in /taches endpoint. Malicious attacker with medium privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when opening editor.<br /> <br /> This issue was fixed in version 1.55.
Severity CVSS v4.0: MEDIUM
Last modification:
20/11/2025

CVE-2025-62297
Publication date:
20/11/2025
SOPlanning is vulnerable to Stored XSS in /projets endpoint. Malicious attacker with medium privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when opening edited page.<br /> <br /> This issue was fixed in version 1.55.
Severity CVSS v4.0: MEDIUM
Last modification:
20/11/2025

CVE-2025-62729
Publication date:
20/11/2025
SOPlanning is vulnerable to Stored XSS in /status endpoint. Malicious attacker with an account can inject arbitrary HTML and JS into website, which will be rendered/executed when opening multiple pages.<br /> <br /> This issue was fixed in version 1.55.
Severity CVSS v4.0: MEDIUM
Last modification:
20/11/2025

CVE-2025-36161
Publication date:
20/11/2025
IBM Concert 1.0.0 through 2.0.0 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict-Transport-Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques.
Severity CVSS v4.0: Pending analysis
Last modification:
20/11/2025

CVE-2025-60737
Publication date:
20/11/2025
Cross Site Scripting vulnerability in Ilevia EVE X1 Server Firmware Version
Severity CVSS v4.0: Pending analysis
Last modification:
20/11/2025

CVE-2025-60738
Publication date:
20/11/2025
An issue in Ilevia EVE X1 Server Firmware Version v4.7.18.0.eden and before Logic Version v6.00 - 2025_07_21 and before allows a remote attacker to execute arbitrary code via the ping.php component does not perform secure filtering on IP parameters
Severity CVSS v4.0: Pending analysis
Last modification:
20/11/2025

CVE-2025-34320
Publication date:
20/11/2025
BASIS BBj versions prior to 25.00 contain a Jetty-served web endpoint that fails to properly validate or canonicalize input path segments. This allows unauthenticated directory traversal sequences to cause the server to read arbitrary system files accessible to the account running the service. Retrieved configuration artifacts may contain account credentials used for BBj Enterprise Manager; possession of these credentials enables administrative access and use of legitimate management functionality that can result in execution of system commands under the service account. Depending on the operating system and the privileges of the BBj service account, this issue may also allow access to other sensitive files on the host, including operating system or application data, potentially exposing additional confidential information.
Severity CVSS v4.0: CRITICAL
Last modification:
20/11/2025

CVE-2025-13425
Publication date:
20/11/2025
A bug in the filesystem traversal fallback path causes fs/diriterate/diriterate.go:Next() to overindex an empty slice when ReadDir returns nil for an empty directory, resulting in a panic (index out of range) and an application crash (denial of service) in OSV-SCALIBR.
Severity CVSS v4.0: LOW
Last modification:
20/11/2025

CVE-2024-31405
Publication date:
20/11/2025
Rejected reason: Voluntarily withdrawn
Severity CVSS v4.0: Pending analysis
Last modification:
20/11/2025

CVE-2025-65220
Publication date:
20/11/2025
Tenda AC21 V16.03.08.16 is vulnerable to Buffer Overflow in: /goform/SetVirtualServerCfg via the list parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
20/11/2025
Subscribe to Vulnerabilities