Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-13794
Publication date:
16/12/2025
The Auto Featured Image (Auto Post Thumbnail) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bulk_action_generate_handler function in all versions up to, and including, 4.2.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete or generate featured images on posts they do not own.
Severity CVSS v4.0: Pending analysis
Last modification:
16/12/2025

CVE-2025-14252
Publication date:
16/12/2025
An Improper Access Control vulnerability in Advantech SUSI driver (susi.sys) allows attackers to read/write arbitrary memory, I/O ports, and MSRs, resulting in privilege escalation, arbitrary code execution, and information disclosure. This issue affects Advantech SUSI: 5.0.24335 and prior.
Severity CVSS v4.0: HIGH
Last modification:
16/12/2025

CVE-2025-12809
Publication date:
16/12/2025
The Dokan Pro plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/dokan/v1/wholesale/register` REST API endpoint in all versions up to, and including, 4.1.3. This makes it possible for unauthenticated attackers to enumerate users and retrieve their email addresses via the REST API by providing a user ID, along with other information such as usernames, display names, user roles, and registration dates.
Severity CVSS v4.0: Pending analysis
Last modification:
16/12/2025

CVE-2025-66357
Publication date:
16/12/2025
CHOCO TEI WATCHER mini (IB-MCT001) contains an issue with improper check for unusual or exceptional conditions. When the Video Download feature is in a specific communication state, the product's resources may be consumed abnormally.
Severity CVSS v4.0: MEDIUM
Last modification:
16/12/2025

CVE-2025-59479
Publication date:
16/12/2025
CHOCO TEI WATCHER mini (IB-MCT001) contains an issue with improper restriction of rendered UI layers or frames. If a user clicks on content on a malicious web page while logged into the product, unintended operations may be performed on the product.
Severity CVSS v4.0: MEDIUM
Last modification:
16/12/2025

CVE-2025-61976
Publication date:
16/12/2025
CHOCO TEI WATCHER mini (IB-MCT001) contains an issue with improper check for unusual or exceptional conditions. If a remote attacker sends a specially crafted request to the Video Download interface, the system may become unresponsive.
Severity CVSS v4.0: HIGH
Last modification:
16/12/2025

CVE-2025-14777
Publication date:
16/12/2025
A flaw was found in Keycloak. An IDOR (Broken Access Control) vulnerability exists in the admin API endpoints for authorization resource management, specifically in ResourceSetService and PermissionTicketService. The system checks authorization against the resourceServer (client) ID provided in the API request, but the backend database lookup and modification operations (findById, delete) only use the resourceId. This mismatch allows an authenticated attacker with fine-grained admin permissions for one client (e.g., Client A) to delete or update resources belonging to another client (Client B) within the same realm by supplying a valid resource ID.
Severity CVSS v4.0: Pending analysis
Last modification:
16/12/2025

CVE-2025-13956
Publication date:
16/12/2025
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the statistic function in all versions up to, and including, 4.3.1. This makes it possible for unauthenticated attackers to view the plugin's orders statistics, including total revenue summaries and order status counts
Severity CVSS v4.0: Pending analysis
Last modification:
16/12/2025

CVE-2025-59385
Publication date:
16/12/2025
An authentication bypass by spoofing vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to access resources which are not otherwise accessible without proper authentication.<br /> <br /> We have already fixed the vulnerability in the following versions:<br /> QTS 5.2.7.3297 build 20251024 and later<br /> QuTS hero h5.2.7.3297 build 20251024 and later<br /> QuTS hero h5.3.1.3292 build 20251024 and later
Severity CVSS v4.0: HIGH
Last modification:
16/12/2025

CVE-2025-62847
Publication date:
16/12/2025
An improper neutralization of argument delimiters in a command vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to alter execution logic.<br /> <br /> We have already fixed the vulnerability in the following versions:<br /> QTS 5.2.7.3297 build 20251024 and later<br /> QuTS hero h5.2.7.3297 build 20251024 and later<br /> QuTS hero h5.3.1.3292 build 20251024 and later
Severity CVSS v4.0: MEDIUM
Last modification:
16/12/2025

CVE-2025-62848
Publication date:
16/12/2025
A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to launch a denial-of-service (DoS) attack.<br /> <br /> We have already fixed the vulnerability in the following versions:<br /> QTS 5.2.7.3297 build 20251024 and later<br /> QuTS hero h5.2.7.3297 build 20251024 and later<br /> QuTS hero h5.3.1.3292 build 20251024 and later
Severity CVSS v4.0: HIGH
Last modification:
16/12/2025

CVE-2025-62849
Publication date:
16/12/2025
An SQL injection vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to execute unauthorized code or commands.<br /> <br /> We have already fixed the vulnerability in the following versions:<br /> QTS 5.2.7.3297 build 20251024 and later<br /> QuTS hero h5.2.7.3297 build 20251024 and later<br /> QuTS hero h5.3.1.3292 build 20251024 and later
Severity CVSS v4.0: MEDIUM
Last modification:
16/12/2025
Subscribe to Vulnerabilities