Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-3223
Publication date:
19/05/2025
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in GE Vernova WorkstationST on Windows (EGD Configuration Server modules) allows Path Traversal.This issue affects WorkstationST: WorkstationST V07.10.10C and earlier.
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2025

CVE-2025-48340
Publication date:
19/05/2025
Cross-Site Request Forgery (CSRF) vulnerability in Danny Vink User Profile Meta Manager allows Privilege Escalation.This issue affects User Profile Meta Manager: from n/a through 1.02.
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2025

CVE-2025-47944
Publication date:
19/05/2025
Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability that is present starting in version 1.4.4-lts.1 and prior to version 2.0.0 allows an attacker to trigger a Denial of Service (DoS) by sending a malformed multi-part upload request. This request causes an unhandled exception, leading to a crash of the process. Users should upgrade to version 2.0.0 to receive a patch. No known workarounds are available.
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2025

CVE-2025-47946
Publication date:
19/05/2025
Symfony UX is an initiative and set of libraries to integrate JavaScript tools into applications. Prior to version 2.25.1, rendering `{{ attributes }}` or using any method that returns a `ComponentAttributes` instance (e.g. `only()`, `defaults()`, `without()`) ouputs attribute values directly without escaping. If these values are unsafe (e.g. contain user input), this can lead to HTML attribute injection and XSS vulnerabilities. The issue is fixed in version `2.25.1` of `symfony/ux-twig-component` Those who use `symfony/ux-live-component` must also update it to `2.25.1` to benefit from the fix, as it reuses the `ComponentAttributes` class internally. As a workaround, avoid rendering `{{ attributes }}` or derived objects directly if it may contain untrusted values.<br /> Instead, use `{{ attributes.render(&amp;#39;name&amp;#39;) }}` for safe output of individual attributes.
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2025

CVE-2025-47949
Publication date:
19/05/2025
samlify is a Node.js library for SAML single sign-on. A Signature Wrapping attack has been found in samlify prior to version 2.10.0, allowing an attacker to forge a SAML Response to authenticate as any user. An attacker would need a signed XML document by the identity provider. Version 2.10.0 fixes the issue.
Severity CVSS v4.0: CRITICAL
Last modification:
21/05/2025

CVE-2025-39393
Publication date:
19/05/2025
Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in mojoomla Hospital Management System allows Reflected XSS.This issue affects Hospital Management System: from n/a through 47.0 (20-11-2023).
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2025

CVE-2025-39395
Publication date:
19/05/2025
Improper Neutralization of Special Elements used in an SQL Command (&amp;#39;SQL Injection&amp;#39;) vulnerability in mojoomla WPAMS allows SQL Injection.This issue affects WPAMS: from n/a through 44.0 (17-08-2023).
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2025

CVE-2025-39401
Publication date:
19/05/2025
Unrestricted Upload of File with Dangerous Type vulnerability in mojoomla WPAMS allows Upload a Web Shell to a Web Server.This issue affects WPAMS: from n/a through 44.0 (17-08-2023).
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2025

CVE-2025-39402
Publication date:
19/05/2025
Unrestricted Upload of File with Dangerous Type vulnerability in mojoomla WPAMS allows Upload a Web Shell to a Web Server.This issue affects WPAMS: from n/a through 44.0 (17-08-2023).
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2025

CVE-2025-46441
Publication date:
19/05/2025
Path Traversal: &amp;#39;.../...//&amp;#39; vulnerability in ctltwp Section Widget allows Path Traversal.This issue affects Section Widget: from n/a through 3.3.1.
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2025

CVE-2025-47935
Publication date:
19/05/2025
Multer is a node.js middleware for handling `multipart/form-data`. Versions prior to 2.0.0 are vulnerable to a resource exhaustion and memory leak issue due to improper stream handling. When the HTTP request stream emits an error, the internal `busboy` stream is not closed, violating Node.js stream safety guidance. This leads to unclosed streams accumulating over time, consuming memory and file descriptors. Under sustained or repeated failure conditions, this can result in denial of service, requiring manual server restarts to recover. All users of Multer handling file uploads are potentially impacted. Users should upgrade to 2.0.0 to receive a patch. No known workarounds are available.
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2025

CVE-2025-39366
Publication date:
19/05/2025
Incorrect Privilege Assignment vulnerability in Rocket Apps wProject.This issue affects wProject: from n/a before 5.8.0.
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2025
Subscribe to Vulnerabilities