Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-53971
Publication date:
21/08/2025
Mattermost versions 10.5.x
Severity CVSS v4.0: Pending analysis
Last modification:
22/08/2025

CVE-2025-8023
Publication date:
21/08/2025
Mattermost versions 10.8.x
Severity CVSS v4.0: Pending analysis
Last modification:
25/08/2025

CVE-2025-8895
Publication date:
21/08/2025
The WP Webhooks plugin for WordPress is vulnerable to arbitrary file copy due to missing validation of user-supplied input in all versions up to, and including, 3.3.5. This makes it possible for unauthenticated attackers to copy arbitrary files on the affected site's server to arbitrary locations. This can be used to copy the contents of wp-config.php into a text file which can then be accessed in a browser to reveal database credentials.
Severity CVSS v4.0: Pending analysis
Last modification:
22/08/2025

CVE-2025-47700
Publication date:
21/08/2025
Mattermost Server versions 10.5.x
Severity CVSS v4.0: Pending analysis
Last modification:
29/10/2025

CVE-2025-36530
Publication date:
21/08/2025
Mattermost versions 10.9.x
Severity CVSS v4.0: Pending analysis
Last modification:
22/08/2025

CVE-2025-7390
Publication date:
21/08/2025
A malicious client can bypass the client certificate trust check of an opc.https server when the server endpoint is configured to allow only secure communication.
Severity CVSS v4.0: Pending analysis
Last modification:
22/08/2025

CVE-2025-8592
Publication date:
21/08/2025
The Inspiro theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.2. This is due to missing or incorrect nonce validation on the inspiro_install_plugin() function. This makes it possible for unauthenticated attackers to install plugins from the repository via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity CVSS v4.0: Pending analysis
Last modification:
22/08/2025

CVE-2025-8607
Publication date:
21/08/2025
The SlingBlocks – Gutenberg Blocks by FunnelKit (Formerly WooFunnels) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown block's attributes in all versions up to, and including, 1.6.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
22/08/2025

CVE-2025-7221
Publication date:
21/08/2025
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the give_update_payment_status() function in all versions up to, and including, 4.5.0. This makes it possible for authenticated attackers, with GiveWP Worker-level access and above, to update donations statuses. This ability is not present in the user interface.
Severity CVSS v4.0: Pending analysis
Last modification:
03/12/2025

CVE-2025-53505
Publication date:
21/08/2025
Group-Office versions prior to 6.8.119 and prior to 25.0.20 provided by Intermesh BV contain a path traversal vulnerability. If this vulnerability is exploited, information on the server hosting the product may be exposed.
Severity CVSS v4.0: MEDIUM
Last modification:
24/09/2025

CVE-2025-53504
Publication date:
21/08/2025
Group-Office versions prior to 6.8.119 and prior to 25.0.20 provided by Intermesh BV contain a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed in the user's web browser.
Severity CVSS v4.0: MEDIUM
Last modification:
24/09/2025

CVE-2025-57831
Publication date:
21/08/2025
Rejected reason: Not used
Severity CVSS v4.0: Pending analysis
Last modification:
21/08/2025
Subscribe to Vulnerabilities