Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-14631

Publication date:

07/01/2026

A NULL Pointer Dereference vulnerability in TP-Link Archer BE400 V1(802.11 modules) allows an adjacent attacker to cause a denial-of-service (DoS) by triggering a device reboot. This issue affects Archer BE400: xi 1.1.0 Build 20250710 rel.14914.

Severity CVSS v4.0: HIGH

Last modification:

08/01/2026

CVE-2025-14614

Publication date:

07/01/2026

Insecure Temporary File vulnerability in Altera Quartus Prime Standard Installer (SFX) on Windows, Altera Quartus Prime Lite Installer (SFX) on Windows allows Explore for Predictable Temporary File Names.This issue affects Quartus Prime Standard: from 23.1 through 24.1; Quartus Prime Lite: from 23.1 through 24.1.

Severity CVSS v4.0: MEDIUM

Last modification:

12/01/2026

CVE-2025-14625

Publication date:

07/01/2026

Uncontrolled Search Path Element vulnerability in Altera Quartus Prime Standard on Windows (Nios II Command Shell modules), Altera Quartus Prime Lite on Windows (Nios II Command Shell modules) allows Search Order Hijacking.This issue affects Quartus Prime Standard: from 19.1 through 24.1; Quartus Prime Lite: from 19.1 through 24.1.

Severity CVSS v4.0: MEDIUM

Last modification:

28/01/2026

CVE-2025-14145

Publication date:

07/01/2026

The Niche Hero | Beautifully-designed blocks in seconds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the &#39;spacing&#39; parameter of the nh_row shortcode in all versions up to, and including, 1.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Severity CVSS v4.0: Pending analysis

Last modification:

08/01/2026

CVE-2025-14147

Publication date:

07/01/2026

The Easy GitHub Gist Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the &#39;id&#39; parameter of the gist shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Severity CVSS v4.0: Pending analysis

Last modification:

08/01/2026

CVE-2025-14352

Publication date:

07/01/2026

The Awesome Hotel Booking plugin for WordPress is vulnerable to unauthorized modification of data due to incorrect authorization in the room-single.php shortcode handler in all versions up to, and including, 1.0. This is due to the plugin relying solely on nonce verification without capability checks. This makes it possible for unauthenticated attackers to modify arbitrary booking records by obtaining a nonce from the public booking form.

Severity CVSS v4.0: Pending analysis

Last modification:

08/01/2026

CVE-2025-14370

Publication date:

07/01/2026

The Quote Comments plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.0.0. This is due to missing authorization checks in the quotecomments_add_admin function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary plugin options via the &#39;action&#39; parameter.

Severity CVSS v4.0: Pending analysis

Last modification:

08/01/2026

CVE-2025-14453

Publication date:

07/01/2026

The My Album Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the &#39;style_css&#39; shortcode attribute in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Severity CVSS v4.0: Pending analysis

Last modification:

08/01/2026

CVE-2025-14460

Publication date:

07/01/2026

The Piraeus Bank WooCommerce Payment Gateway plugin for WordPress is vulnerable to unauthorized order status modification in all versions up to, and including, 3.1.4. This is due to missing authorization checks on the payment callback endpoint handler when processing the &#39;fail&#39; callback from the payment gateway. This makes it possible for unauthenticated attackers to change any order&#39;s status to &#39;failed&#39; via the publicly accessible WooCommerce API endpoint by providing only the order ID (MerchantReference parameter), which can be easily enumerated as order IDs are sequential integers. This can cause significant business disruption including canceled shipments, inventory issues, and loss of revenue.

Severity CVSS v4.0: Pending analysis

Last modification:

08/01/2026

CVE-2025-14121

Publication date:

07/01/2026

The EDD Download Info plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the &#39;edd_download_info_link&#39; shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Severity CVSS v4.0: Pending analysis

Last modification:

08/01/2026

CVE-2025-14122

Publication date:

07/01/2026

The AD Sliding FAQ plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the &#39;sliding_faq&#39; shortcode in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Severity CVSS v4.0: Pending analysis

Last modification:

08/01/2026

CVE-2025-14127

Publication date:

07/01/2026

The Testimonial Master plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER[&#39;PHP_SELF&#39;]` variable in all versions up to, and including, 0.2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Severity CVSS v4.0: Pending analysis

Last modification:

08/01/2026

Subscribe to Vulnerabilities