Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-52184
Publication date:
26/08/2025
Cross Site Scripting vulnerability in Helpy.io v.2.8.0 allows a remote attacker to escalate privileges via the New Topic Ticket funtion.
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2025

CVE-2025-55212
Publication date:
26/08/2025
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-28 and 7.1.2-2, passing a geometry string containing only a colon (":") to montage -geometry leads GetGeometry() to set width/height to 0. Later, ThumbnailImage() divides by these zero dimensions, triggering a crash (SIGFPE/abort), resulting in a denial of service. This issue has been patched in versions 6.9.13-28 and 7.1.2-2.
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2025

CVE-2025-50974
Publication date:
26/08/2025
The Calamaris log exporter CGI (/cgi-bin/logs.cgi/calamaris.dat) in IPFire 2.29 does not properly sanitize user-supplied input before incorporating parameter values into a shell command. An unauthenticated remote attacker can inject arbitrary OS commands by embedding shell metacharacters in any of the following parameters BYTE_UNIT, DAY_BEGIN, DAY_END, HIST_LEVEL, MONTH_BEGIN, MONTH_END, NUM_CONTENT, NUM_DOMAINS, NUM_HOSTS, NUM_URLS, PERF_INTERVAL, YEAR_BEGIN, YEAR_END.
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2025

CVE-2025-2697
Publication date:
26/08/2025
IBM Cognos Command Center 10.2.4.1 and 10.2.5 <br /> <br /> could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim.
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2025

CVE-2025-36729
Publication date:
26/08/2025
A non-primary administrator user with admin rights to the web interface but without shell access permissions can display configuration of the device including the master admin password. This vulnerability also allows the user to give themselves shell access with the root gid.
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2025

CVE-2025-1494
Publication date:
26/08/2025
IBM Cognos Command Center 10.2.4.1 and 10.2.5 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim&amp;#39;s click actions and possibly launch further attacks against the victim.
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2025

CVE-2025-1994
Publication date:
26/08/2025
IBM Cognos Command Center 10.2.4.1 and 10.2.5 <br /> <br /> <br /> <br /> could allow a local user to execute arbitrary code on the system due to the use of unsafe use of the BinaryFormatter function.
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2025

CVE-2025-57813
Publication date:
26/08/2025
traQ is a messenger application built for Digital Creators Club traP. Prior to version 3.25.0, a vulnerability exists where sensitive information, such as OAuth tokens, are recorded in log files when an error occurs during the execution of an SQL query. An attacker could intentionally trigger an SQL error by methods such as placing a high load on the database. This could allow an attacker who has the authority to view the log files to illicitly acquire the recorded sensitive information. This vulnerability has been patched in version 3.25.0. If upgrading is not possible, a temporary workaround involves reviewing access permissions for SQL error logs and strictly limiting access to prevent unauthorized users from viewing them.
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2025

CVE-2025-56432
Publication date:
26/08/2025
A cross-site scripting (XSS) vulnerability exists in Nagios XI 2024R2. The vulnerability allows remote attackers to execute arbitrary JavaScript in the context of a logged-in user&amp;#39;s session via a specially crafted URL. The issue resides in a web component responsible for rendering performance-related data.
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2025

CVE-2025-57810
Publication date:
26/08/2025
jsPDF is a library to generate PDFs in JavaScript. Prior to 3.0.2, user control of the first argument of the addImage method results in CPU utilization and denial of service. If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can provide a harmful PNG file that results in high CPU utilization and denial of service. The vulnerability was fixed in jsPDF 3.0.2.
Severity CVSS v4.0: HIGH
Last modification:
26/08/2025

CVE-2025-6366
Publication date:
26/08/2025
The Event List plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.0.4. This is due to the plugin not properly validating a user&amp;#39;s capabilities prior to updating their profile in the el_update_profile() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change their capabilities to those of an administrator.
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2025

CVE-2025-52217
Publication date:
26/08/2025
SelectZero Data Observability Platform before 2025.5.2 is vulnerable to HTML Injection. Legacy UI fields improperly handle user-supplied input, allowing injection of arbitrary HTML.
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2025
Subscribe to Vulnerabilities