Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-8376
Publication date:
31/07/2025
A vulnerability classified as critical has been found in code-projects Vehicle Management 1.0. Affected is an unknown function of the file /updatebal.php. The manipulation of the argument company leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
31/07/2025

CVE-2025-8378
Publication date:
31/07/2025
A vulnerability was found in Campcodes Online Hotel Reservation System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /admin/index.php of the component Login. The manipulation of the argument username/password leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
31/07/2025

CVE-2025-40980
Publication date:
31/07/2025
A Stored Cross Site Scripting vulnerability has been found in UltimatePOS by UltimateFosters. This vulnerability is due to the lack of proper validation of user inputs via ‘/products//edit’, affecting to ‘name’ parameter via POST. The vulnerability could allow a remote attacker to send a specially crafted query to an authenticated user and steal his/her session cookies details.
Severity CVSS v4.0: MEDIUM
Last modification:
31/07/2025

CVE-2025-41688
Publication date:
31/07/2025
A high privileged remote attacker can execute arbitrary OS commands using an undocumented method allowing to escape the implemented LUA sandbox.
Severity CVSS v4.0: Pending analysis
Last modification:
31/07/2025

CVE-2025-2813
Publication date:
31/07/2025
An unauthenticated remote attacker can cause a Denial of Service by sending a large number of requests to the http service on port 80.
Severity CVSS v4.0: Pending analysis
Last modification:
31/07/2025

CVE-2025-8375
Publication date:
31/07/2025
A vulnerability was found in code-projects Vehicle Management 1.0. It has been rated as critical. This issue affects some unknown processing of the file /addvehicle.php. The manipulation of the argument vehicle leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
31/07/2025

CVE-2025-8374
Publication date:
31/07/2025
A vulnerability was found in code-projects Vehicle Management 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /addcompany.php. The manipulation of the argument company leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
31/07/2025

CVE-2025-24854
Publication date:
31/07/2025
A carefully crafted request using the Image plugin could trigger an XSS <br /> vulnerability on Apache JSPWiki, which could allow the attacker to <br /> execute javascript in the victim&amp;#39;s browser and get some sensitive <br /> information about the victim.<br /> <br /> <br /> <br /> <br /> <br /> Apache JSPWiki users should upgrade to 2.12.3 or later.
Severity CVSS v4.0: Pending analysis
Last modification:
31/07/2025

CVE-2025-8192
Publication date:
31/07/2025
There exists a TOCTOU race condition in TvSettings AppRestrictionsFragment.java that lead to start of attacker supplied activity in Settings’ context, i.e. system-uid context, thus lead to launchAnyWhere. The core idea is to utilize the time window between the check of Intent and the use to Intent to change the target component’s state, thus bypass the original security sanitize function.
Severity CVSS v4.0: MEDIUM
Last modification:
31/07/2025

CVE-2025-24853
Publication date:
31/07/2025
A carefully crafted request when creating a header link using the <br /> wiki markup syntax, which could allow the attacker to execute javascript<br /> in the victim&amp;#39;s browser and get some sensitive information about the <br /> victim.<br /> <br /> <br /> <br /> Further research by the JSPWiki team showed that the markdown parser allowed this kind of attack too.<br /> <br /> Apache JSPWiki users should upgrade to 2.12.3 or later.
Severity CVSS v4.0: Pending analysis
Last modification:
31/07/2025

CVE-2025-8373
Publication date:
31/07/2025
A vulnerability was found in code-projects Vehicle Management 1.0. It has been classified as critical. This affects an unknown part of the file /print.php. The manipulation of the argument sno leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
31/07/2025

CVE-2025-46359
Publication date:
31/07/2025
A path traversal issue exists in backup and restore feature of multiple versions of PowerCMS. A product administrator may execute arbitrary code by restoring a crafted backup file.
Severity CVSS v4.0: HIGH
Last modification:
31/07/2025
Subscribe to Vulnerabilities