Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-8107
Publication date:
24/07/2025
In OceanBase&amp;#39;s Oracle tenant mode, a malicious user with specific privileges can achieve privilege escalation to SYS-level access by executing carefully crafted commands.<br /> <br /> <br /> <br /> <br /> This vulnerability only affects OceanBase tenants in Oracle mode. Tenants in MySQL mode are unaffected.
Severity CVSS v4.0: Pending analysis
Last modification:
25/07/2025

CVE-2025-7745
Publication date:
24/07/2025
Buffer Over-read vulnerability in ABB AC500 V2.This issue affects AC500 V2: through 2.5.2.
Severity CVSS v4.0: MEDIUM
Last modification:
25/07/2025

CVE-2025-8009
Publication date:
24/07/2025
The Security Ninja – WordPress Security Plugin &amp; Firewall plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 5.242 via the &amp;#39;get_file_source&amp;#39; function. This makes it possible for authenticated attackers, with Administrator-level access and above, to extract sensitive data, including the contents of any file on the server.
Severity CVSS v4.0: Pending analysis
Last modification:
25/07/2025

CVE-2025-26397
Publication date:
24/07/2025
SolarWinds Observability Self-Hosted is susceptible to Deserialization of Untrusted Data Local Privilege Escalation vulnerability. An attacker with low privileges can escalate privileges to run malicious files copied to a permission-protected folder. This vulnerability requires authentication from a low-level account and local access to the host server.
Severity CVSS v4.0: Pending analysis
Last modification:
12/11/2025

CVE-2025-7852
Publication date:
24/07/2025
The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the image_upload_handle() function hooked via the &amp;#39;add_new_customer&amp;#39; route in all versions up to, and including, 1.0.6. The plugin’s image‐upload handler calls move_uploaded_file() on client‐supplied files without restricting allowed extensions or MIME types, nor sanitizing the filename. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site&amp;#39;s server which may make remote code execution possible.
Severity CVSS v4.0: Pending analysis
Last modification:
25/07/2025

CVE-2025-7437
Publication date:
24/07/2025
The Ebook Store plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ebook_store_save_form function in all versions up to, and including, 5.8012. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site&amp;#39;s server which may make remote code execution possible.
Severity CVSS v4.0: Pending analysis
Last modification:
25/07/2025

CVE-2025-7001
Publication date:
24/07/2025
An issue has been discovered in GitLab CE/EE affecting all versions from 15.0 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1 that could have allowed priviledged users to access certain resource_group information through the API which should have been unavailable.
Severity CVSS v4.0: Pending analysis
Last modification:
28/07/2025

CVE-2025-41240
Publication date:
24/07/2025
Three Bitnami Helm charts mount Kubernetes Secrets under a predictable path (/opt/bitnami/*/secrets) that is located within the web server document root.<br /> In affected versions, this can lead to unauthenticated access to sensitive credentials via HTTP/S. A remote attacker could retrieve these secrets by accessing specific URLs if the application is exposed externally. The issue affects deployments using the default value of usePasswordFiles=true, which mounts secrets as files into the container filesystem.
Severity CVSS v4.0: Pending analysis
Last modification:
25/07/2025

CVE-2025-4393
Publication date:
24/07/2025
Medtronic MyCareLink Patient Monitor has an internal service that deserializes data, which allows a local attacker to interact with the service by crafting a binary payload to crash the service or elevate privileges. <br /> <br /> This issue affects MyCareLink Patient Monitor models 24950 and 24952: before June 25, 2025
Severity CVSS v4.0: Pending analysis
Last modification:
25/07/2025

CVE-2025-4394
Publication date:
24/07/2025
Medtronic MyCareLink Patient Monitor uses an unencrypted filesystem on internal storage, which allows an attacker with physical access to read and modify files. <br /> <br /> This issue affects MyCareLink Patient Monitor models 24950 and 24952: before June 25, 2025
Severity CVSS v4.0: Pending analysis
Last modification:
25/07/2025

CVE-2025-4395
Publication date:
24/07/2025
Medtronic MyCareLink Patient Monitor has a built-in user account with an empty password, which allows an attacker with physical access to log in with no password and access modify system functionality. <br /> <br /> This issue affects MyCareLink Patient Monitor models 24950 and 24952: before June 25, 2025
Severity CVSS v4.0: Pending analysis
Last modification:
25/07/2025

CVE-2025-4976
Publication date:
24/07/2025
An issue has been discovered in GitLab EE affecting all versions from 17.0 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1 that, under certain circumstances, could have allowed an attacker to access internal notes in GitLab Duo responses.
Severity CVSS v4.0: Pending analysis
Last modification:
28/07/2025
Subscribe to Vulnerabilities