Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-4198
Publication date:
03/05/2025
The Alink Tap plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.1. This is due to missing or incorrect nonce validation on the 'alink-tap' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity CVSS v4.0: Pending analysis
Last modification:
05/05/2025

CVE-2025-3779
Publication date:
03/05/2025
The Personizely plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘widgetId’ parameter in all versions up to, and including, 0.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
05/05/2025

CVE-2024-13738
Publication date:
03/05/2025
The The Motors - Car Dealer, Rental &amp; Listing WordPress theme theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.6.65. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.<br /> <br /> *It is unclear exactly which version the issue was patched in from the changelog. Therefore, we used the latest version at the time of verification.
Severity CVSS v4.0: Pending analysis
Last modification:
05/05/2025

CVE-2025-46723
Publication date:
02/05/2025
OpenVM is a performant and modular zkVM framework built for customization and extensibility. In version 1.0.0, OpenVM is vulnerable to overflow through byte decomposition of pc in AUIPC chip. A typo results in the highest limb of pc being range checked to 8-bits instead of 6-bits. This results in the if statement never being triggered because the enumeration gives i=0,1,2, when instead the enumeration should give i=1,2,3, leaving pc_limbs[3] range checked to 8-bits instead of 6-bits. This leads to a vulnerability where the pc_limbs decomposition differs from the true pc, which means a malicious prover can make the destination register take a different value than the AUIPC instruction dictates, by making the decomposition overflow the BabyBear field. This issue has been patched in version 1.1.0.
Severity CVSS v4.0: HIGH
Last modification:
05/05/2025

CVE-2025-21572
Publication date:
02/05/2025
OpenGrok 1.13.25 has a reflected Cross-Site Scripting (XSS) issue when producing the history view page. This happens through improper handling of path segments. The application reflects unsanitized user input into the HTML output.
Severity CVSS v4.0: Pending analysis
Last modification:
06/05/2025

CVE-2024-55069
Publication date:
02/05/2025
ffmpeg 7.1 is vulnerable to Null Pointer Dereference in function iamf_read_header in /libavformat/iamfdec.c.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2025

CVE-2022-21546
Publication date:
02/05/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: target: Fix WRITE_SAME No Data Buffer crash<br /> <br /> In newer version of the SBC specs, we have a NDOB bit that indicates there<br /> is no data buffer that gets written out. If this bit is set using commands<br /> like "sg_write_same --ndob" we will crash in target_core_iblock/file&amp;#39;s<br /> execute_write_same handlers when we go to access the se_cmd-&gt;t_data_sg<br /> because its NULL.<br /> <br /> This patch adds a check for the NDOB bit in the common WRITE SAME code<br /> because we don&amp;#39;t support it. And, it adds a check for zero SG elements in<br /> each handler in case the initiator tries to send a normal WRITE SAME with<br /> no data buffer.
Severity CVSS v4.0: Pending analysis
Last modification:
09/05/2025

CVE-2025-4218
Publication date:
02/05/2025
A vulnerability was found in handrew browserpilot up to 0.2.51. It has been declared as critical. Affected by this vulnerability is the function GPTSeleniumAgent of the file browserpilot/browserpilot/agents/gpt_selenium_agent.py. The manipulation of the argument instructions leads to code injection. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
05/05/2025

CVE-2025-47226
Publication date:
02/05/2025
Grokability Snipe-IT before 8.1.0 has incorrect authorization for accessing asset information.
Severity CVSS v4.0: Pending analysis
Last modification:
05/05/2025

CVE-2025-4215
Publication date:
02/05/2025
A vulnerability was found in gorhill uBlock Origin up to 1.63.3b16. It has been classified as problematic. Affected is the function currentStateChanged of the file src/js/1p-filters.js of the component UI. The manipulation leads to inefficient regular expression complexity. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.63.3b17 is able to address this issue. The patch is identified as eaedaf5b10d2f7857c6b77fbf7d4a80681d4d46c. It is recommended to upgrade the affected component.
Severity CVSS v4.0: LOW
Last modification:
05/05/2025

CVE-2025-0782
Publication date:
02/05/2025
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Severity CVSS v4.0: Pending analysis
Last modification:
20/05/2025

CVE-2025-4214
Publication date:
02/05/2025
A vulnerability was found in PHPGuruku Online DJ Booking Management System 1.0 and classified as critical. This issue affects some unknown processing of the file /admin/booking-bwdates-reports-details.php. The manipulation of the argument fromdate leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.
Severity CVSS v4.0: MEDIUM
Last modification:
05/05/2025
Subscribe to Vulnerabilities