Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-27631
Publication date:
25/03/2025
The TRMTracker web application is vulnerable to LDAP injection attack potentially allowing an attacker to inject code into a query and execute remote commands that can read and update data on the website.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2024-10037
Publication date:
25/03/2025
A vulnerability exists in the RTU500 web server component that can cause a denial of service to the RTU500 CMU application if a specially crafted message sequence is executed on a WebSocket connection.<br /> An attacker must be properly authenticated and the test mode function of RTU500 must be enabled to exploit this vulnerability.<br /> <br /> The affected CMU will automatically recover itself if an attacker successfully exploits this vulnerability.
Severity CVSS v4.0: MEDIUM
Last modification:
15/04/2026

CVE-2024-11499
Publication date:
25/03/2025
A vulnerability exists in RTU500 IEC 60870-4-104 controlled station functionality, that allows an authenticated and authorized attacker to perform a CMU restart. The vulnerability can be triggered if certificates are updated while in use on active connections.<br /> <br /> The affected CMU will automatically recover itself if an attacker successfully exploits this vulnerability.
Severity CVSS v4.0: MEDIUM
Last modification:
15/04/2026

CVE-2022-1804
Publication date:
25/03/2025
accountsservice no longer drops permissions when writting .pam_environment
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2025

CVE-2025-2109
Publication date:
25/03/2025
The WP Compress – Instant Performance &amp; Speed Optimization plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.30.15 via the init() function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query information from internal services.
Severity CVSS v4.0: Pending analysis
Last modification:
11/08/2025

CVE-2024-53679
Publication date:
25/03/2025
Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in Apache VCL in the User Lookup form. A user with sufficient rights to be able to view this part of the site can craft a URL or be tricked in to clicking a URL that will give a specified user elevated rights.<br /> <br /> <br /> <br /> This issue affects all versions of Apache VCL through 2.5.1.<br /> <br /> <br /> <br /> Users are recommended to upgrade to version 2.5.2, which fixes the issue.
Severity CVSS v4.0: HIGH
Last modification:
14/07/2025

CVE-2025-2756
Publication date:
25/03/2025
A vulnerability classified as critical has been found in Open Asset Import Library Assimp 5.4.3. This affects the function Assimp::AC3DImporter::ConvertObjectSection of the file code/AssetLib/AC/ACLoader.cpp of the component AC3D File Handler. The manipulation of the argument tmp leads to heap-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
17/07/2025

CVE-2025-2757
Publication date:
25/03/2025
A vulnerability classified as critical was found in Open Asset Import Library Assimp 5.4.3. This vulnerability affects the function AI_MD5_PARSE_STRING_IN_QUOTATION of the file code/AssetLib/MD5/MD5Parser.cpp of the component MD5 File Handler. The manipulation of the argument data leads to heap-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
17/07/2025

CVE-2025-2542
Publication date:
25/03/2025
The Your Simple SVG Support plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-2635
Publication date:
25/03/2025
The Digital License Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of remove_query_arg() function without appropriate escaping on the URL in all versions up to, and including, 1.7.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2024-53678
Publication date:
25/03/2025
Improper Neutralization of Special Elements used in an SQL Command (&amp;#39;SQL Injection&amp;#39;) vulnerability in Apache VCL. Users can modify form data submitted when requesting a new Block Allocation such that a SELECT SQL statement is modified. The data returned by the SELECT statement is not viewable by the attacker.<br /> <br /> This issue affects all versions of Apache VCL from 2.2 through 2.5.1.<br /> <br /> Users are recommended to upgrade to version 2.5.2, which fixes the issue.
Severity CVSS v4.0: MEDIUM
Last modification:
14/07/2025

CVE-2025-2753
Publication date:
25/03/2025
A vulnerability was found in Open Asset Import Library Assimp 5.4.3. It has been classified as critical. Affected is the function SceneCombiner::MergeScenes of the file code/AssetLib/LWS/LWSLoader.cpp of the component LWS File Handler. The manipulation leads to out-of-bounds read. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
17/07/2025
Subscribe to Vulnerabilities