Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-55454
Publication date:
22/08/2025
An authenticated arbitrary file upload vulnerability in the component /msg/sendfiles of DooTask v1.0.51 allows attackers to execute arbitrary code via uploading a crafted file.
Severity CVSS v4.0: Pending analysis
Last modification:
12/09/2025

CVE-2025-6791
Publication date:
22/08/2025
In the monitoring event logs page, it is possible to alter the http request to insert a reflect payload in the DB. Caused by an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Centreon web (Monitoring event logs modules) allows SQL Injection.This issue affects web: 24.10.0, 24.04.0, 23.10.0.
Severity CVSS v4.0: Pending analysis
Last modification:
22/10/2025

CVE-2025-54813
Publication date:
22/08/2025
Improper Output Neutralization for Logs vulnerability in Apache Log4cxx.<br /> <br /> When using JSONLayout, not all payload bytes are properly escaped. If an attacker-supplied message contains certain non-printable characters, these will be passed along in the message and written out as part of the JSON message. This may prevent applications that consume these logs from correctly interpreting the information within them.<br /> <br /> This issue affects Apache Log4cxx: before 1.5.0.<br /> <br /> Users are recommended to upgrade to version 1.5.0, which fixes the issue.
Severity CVSS v4.0: MEDIUM
Last modification:
04/11/2025

CVE-2025-50858
Publication date:
22/08/2025
Reflected Cross-Site Scripting in the List MySQL Databases function in Easy Hosting Control Panel (EHCP) 20.04.1.b allows authenticated attackers to execute arbitrary JavaScript via the action parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
24/09/2025

CVE-2025-50859
Publication date:
22/08/2025
Reflected Cross-Site Scripting in the Change Template function in Easy Hosting Control Panel (EHCP) 20.04.1.b allows authenticated attackers to execute arbitrary JavaScript via the template parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
24/09/2025

CVE-2025-51092
Publication date:
22/08/2025
The LogIn-SignUp project by VishnuSivadasVS is vulnerable to SQL Injection due to unsafe construction of SQL queries in DataBase.php. The functions logIn() and signUp() build queries by directly concatenating user input and unvalidated table names without using prepared statements. While a prepareData() function exists, it is insufficient to prevent SQL injection and does not sanitize the table name.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2025

CVE-2025-54812
Publication date:
22/08/2025
Improper Output Neutralization for Logs vulnerability in Apache Log4cxx.<br /> <br /> <br /> When using HTMLLayout, logger names are not properly escaped when writing out to the HTML file.<br /> If untrusted data is used to retrieve the name of a logger, an attacker could theoretically inject HTML or Javascript in order to hide information from logs or steal data from the user.<br /> In order to activate this, the following sequence must occur:<br /> <br /> <br /> <br /> * Log4cxx is configured to use HTMLLayout.<br /> <br /> * Logger name comes from an untrusted string<br /> <br /> * Logger with compromised name logs a message<br /> <br /> * User opens the generated HTML log file in their browser, leading to potential XSS<br /> <br /> <br /> Because logger names are generally constant strings, we assess the impact to users as LOW<br /> <br /> <br /> This issue affects Apache Log4cxx: before 1.5.0.<br /> <br /> <br /> Users are recommended to upgrade to version 1.5.0, which fixes the issue.
Severity CVSS v4.0: LOW
Last modification:
04/11/2025

CVE-2025-4650
Publication date:
22/08/2025
User with high privileges is able to introduce a SQLi using the Meta Service indicator page. Caused by an Improper Neutralization of Special Elements used in an SQL Command.This issue affects web: from 24.10.0 before 24.10.9, from 24.04.0 before 24.04.16, from 23.10.0 before 23.10.26.
Severity CVSS v4.0: Pending analysis
Last modification:
22/10/2025

CVE-2024-48988
Publication date:
22/08/2025
SQL Injection vulnerability in Apache StreamPark.<br /> <br /> This issue affects Apache StreamPark: from 2.1.4 before 2.1.6.<br /> <br /> Users are recommended to upgrade to version 2.1.6, which fixes the issue.<br /> <br /> <br /> This vulnerability is present only in the distribution package (SpringBoot platform) and does not involve Maven artifacts.<br /> It can only be exploited after a user has successfully logged into the platform (implying that the attacker would first need to compromise the login authentication). <br /> As a result, the associated risk is considered relatively low.
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2025

CVE-2025-43762
Publication date:
22/08/2025
Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.1, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allow users to upload an unlimited amount of files through the forms, the files are stored in the document_library allowing an attacker to cause a potential DDoS.
Severity CVSS v4.0: MEDIUM
Last modification:
12/12/2025

CVE-2025-43758
Publication date:
22/08/2025
Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.5, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15 and 7.4 GA through update 92 allows unauthenticated users (guests) to access via URL files uploaded by object entry and stored in document_library
Severity CVSS v4.0: MEDIUM
Last modification:
16/12/2025

CVE-2025-43759
Publication date:
22/08/2025
Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allows admin users of a virtual instance to add pages that are not in the default/main virtual instance, then any tenant can create a list of all other tenants.
Severity CVSS v4.0: MEDIUM
Last modification:
16/12/2025
Subscribe to Vulnerabilities