Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-10641

Publication date:

21/10/2025

All WorkExaminer Professional traffic between monitoring client, console and server is transmitted as plain text. This allows an attacker with access to the network to read the transmitted sensitive data. An attacker can also freely modify the data on the wire. The monitoring clients transmit their data to the server using the unencrypted FTP. Clients connect to the FTP server on port 12304 and transmit the data unencrypted. In addition, all traffic between the console client and the server at port 12306 is unencrypted.

Severity CVSS v4.0: Pending analysis

Last modification:

15/04/2026

CVE-2025-10639

Publication date:

21/10/2025

The WorkExaminer Professional server installation comes with an FTP server that is used to receive the client logs on TCP port 12304. An attacker with network access to this port can use weak hardcoded credentials to login to the FTP server and modify or read data, log files and gain remote code execution as NT Authority\SYSTEM on the server by exchanging accessible service binaries in the WorkExaminer installation directory (e.g. "C:\Program File (x86)\Work Examiner Professional Server").

Severity CVSS v4.0: Pending analysis

Last modification:

15/04/2026

CVE-2025-7473

Publication date:

21/10/2025

Zohocorp ManageEngine EndPoint Central versions 11.4.2516.1 and prior are vulnerable to XML Injection.

Severity CVSS v4.0: Pending analysis

Last modification:

23/10/2025

CVE-2025-5496

Publication date:

21/10/2025

ZohoCorp ManageEngine Endpoint Central versions earlier than 11.4.2508.14, 11.4.2516.06, and 11.4.2518.01 are affected by an arbitrary file deletion vulnerability in the agent setup component.

Severity CVSS v4.0: Pending analysis

Last modification:

28/10/2025

CVE-2025-10612

Publication date:

21/10/2025

Improper Neutralization of Input During Web Page Generation (XSS or &#39;Cross-site Scripting&#39;) vulnerability in giSoft Information Technologies City Guide allows Reflected XSS.This issue affects City Guide: before 1.4.45.

Severity CVSS v4.0: Pending analysis

Last modification:

15/04/2026

CVE-2025-26392

Publication date:

21/10/2025

SolarWinds Observability Self-Hosted is susceptible to SQL injection vulnerability that may display sensitive data using a low-level account. This vulnerability requires authentication from a low-privilege account.

Severity CVSS v4.0: Pending analysis

Last modification:

12/11/2025

CVE-2025-12004

Publication date:

21/10/2025

Incorrect Permission Assignment for Critical Resource vulnerability in The Wikimedia Foundation Mediawiki - Lockdown Extension allows Privilege Abuse. Fixed in Mediawiki Core Action APIThis issue affects Mediawiki - Lockdown Extension: from master before 1.42.

Severity CVSS v4.0: CRITICAL

Last modification:

15/04/2026

CVE-2025-11949

Publication date:

21/10/2025

EasyFlow .NET and EasyFlow AiNet, developed by Digiwin, has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to obtain database administrator credentials via a specific functionality.

Severity CVSS v4.0: HIGH

Last modification:

15/04/2026

CVE-2025-10916

Publication date:

21/10/2025

The FormGent WordPress plugin before 1.0.4 is vulnerable to arbitrary file deletion due to insufficient file path validation. This makes it possible for unauthenticated attackers to delete arbitrary files on the server.

Severity CVSS v4.0: Pending analysis

Last modification:

15/04/2026

CVE-2025-62702

Publication date:

21/10/2025

Improper Neutralization of Input During Web Page Generation (XSS or &#39;Cross-site Scripting&#39;) vulnerability in The Wikimedia Foundation Mediawiki - PageTriage Extension allows Stored XSS.This issue affects Mediawiki - PageTriage Extension: from master before 1.44.

Severity CVSS v4.0: MEDIUM

Last modification:

15/04/2026

CVE-2025-62694

Publication date:

21/10/2025

Improper Neutralization of Input During Web Page Generation (XSS or &#39;Cross-site Scripting&#39;) vulnerability in The Wikimedia Foundation Mediawiki - WikiLove Extension allows Stored XSS.This issue affects Mediawiki - WikiLove Extension: 1.39.

Severity CVSS v4.0: MEDIUM

Last modification:

15/04/2026

CVE-2025-62701

Publication date:

21/10/2025

Improper Neutralization of Input During Web Page Generation (XSS or &#39;Cross-site Scripting&#39;) vulnerability in The Wikimedia Foundation Mediawiki - Wikistories allows Stored XSS.This issue affects Mediawiki - Wikistories: from master before 1.44.

Severity CVSS v4.0: MEDIUM

Last modification:

15/04/2026

Subscribe to Vulnerabilities