Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-50124
Publication date:
11/07/2025
A<br /> <br /> <br /> <br /> <br /> <br /> CWE-269: Improper Privilege Management vulnerability exists that could cause privilege escalation when the<br /> server is accessed by a privileged account via a console and through exploitation of a setup script.
Severity CVSS v4.0: HIGH
Last modification:
03/11/2025

CVE-2025-50121
Publication date:
11/07/2025
A CWE-78: Improper Neutralization of Special Elements used in an OS Command (&amp;#39;OS Command Injection&amp;#39;)<br /> vulnerability exists that could cause unauthenticated remote code execution when a malicious folder is created<br /> over the web interface HTTP when enabled. HTTP is disabled by default.
Severity CVSS v4.0: CRITICAL
Last modification:
03/11/2025

CVE-2025-50122
Publication date:
11/07/2025
A CWE-331: Insufficient Entropy vulnerability exists that could cause root password discovery when the<br /> password generation algorithm is reverse engineered with access to installation or upgrade artifacts.
Severity CVSS v4.0: HIGH
Last modification:
03/11/2025

CVE-2025-50123
Publication date:
11/07/2025
A<br /> <br /> CWE-94: Improper Control of Generation of Code (&amp;#39;Code Injection&amp;#39;) vulnerability exists that could cause remote<br /> command execution by a privileged account when the server is accessed via a console and through<br /> exploitation of the hostname input.
Severity CVSS v4.0: HIGH
Last modification:
04/11/2025

CVE-2025-3933
Publication date:
11/07/2025
A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the DonutProcessor class&amp;#39;s `token2json()` method. This vulnerability affects versions 4.50.3 and earlier, and is fixed in version 4.52.1. The issue arises from the regex pattern `` which can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. This vulnerability can lead to service disruption, resource exhaustion, and potential API service vulnerabilities, impacting document processing tasks using the Donut model.
Severity CVSS v4.0: Pending analysis
Last modification:
07/08/2025

CVE-2025-6838
Publication date:
11/07/2025
The Broken Link Notifier plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 1.3.0 via broken links that are later exported. This makes it possible for authenticated attackers, with Contributor-level access and above, to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2025

CVE-2025-6851
Publication date:
11/07/2025
The Broken Link Notifier plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.3.0 via the ajax_blinks() function which ultimately calls the check_url_status_code() function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Severity CVSS v4.0: Pending analysis
Last modification:
17/07/2025

CVE-2025-6438
Publication date:
11/07/2025
A<br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could<br /> cause manipulation of SOAP API calls and XML external entities injection resulting in unauthorized file access<br /> when the server is accessed via the network using an application account.
Severity CVSS v4.0: MEDIUM
Last modification:
03/11/2025

CVE-2025-5530
Publication date:
11/07/2025
The WPC Smart Compare for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin&amp;#39;s &amp;#39;shortcode_btn&amp;#39; shortcode in all versions up to, and including, 6.4.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
17/07/2025

CVE-2025-6068
Publication date:
11/07/2025
The FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry &amp; Carousel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `data-caption-title` &amp; `data-caption-description` HTML attributes in all versions up to, and including, 2.4.31 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
17/07/2025

CVE-2025-6745
Publication date:
11/07/2025
The WoodMart plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 8.2.5 via the woodmart_get_posts_by_query() function due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2025

CVE-2025-7442
Publication date:
11/07/2025
The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to SQL Injection via several parameters in the MJ_gmgt_delete_class_limit_for_member, MJ_gmgt_get_yearly_income_expense, MJ_gmgt_get_monthly_income_expense, MJ_gmgt_add_class_limit, MJ_gmgt_view_meeting_detail, and MJ_gmgt_create_meeting functions in all versions up to 67.8.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2025
Subscribe to Vulnerabilities