Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-49188
Publication date:
12/06/2025
The application sends user credentials as URL parameters instead of POST bodies, making it vulnerable to information gathering.
Severity CVSS v4.0: Pending analysis
Last modification:
29/01/2026

CVE-2025-49190
Publication date:
12/06/2025
The application is vulnerable to Server-Side Request Forgery (SSRF). An endpoint can be used to send server internal requests to other ports.
Severity CVSS v4.0: Pending analysis
Last modification:
29/01/2026

CVE-2025-49187
Publication date:
12/06/2025
For failed login attempts, the application returns different error messages depending on whether the login failed due to an incorrect password or a non-existing username. This allows an attacker to guess usernames until they find an existing one.
Severity CVSS v4.0: Pending analysis
Last modification:
29/01/2026

CVE-2025-49186
Publication date:
12/06/2025
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it susceptible to brute-force attacks.
Severity CVSS v4.0: Pending analysis
Last modification:
03/02/2026

CVE-2025-49189
Publication date:
12/06/2025
The HttpOnlyflag of the session cookie \"@@\" is set to false. Since this flag helps preventing access to cookies via client-side scripts, setting the flag to false can lead to a higher possibility of Cross-Side-Scripting attacks which target the stored cookies.
Severity CVSS v4.0: Pending analysis
Last modification:
06/02/2026

CVE-2025-49185
Publication date:
12/06/2025
The web application is susceptible to cross-site-scripting attacks. An attacker who can create new dashboard widgets can inject malicious JavaScript code into the Transform Function which will be executed when the widget receives data from its data source.
Severity CVSS v4.0: Pending analysis
Last modification:
29/01/2026

CVE-2025-49184
Publication date:
12/06/2025
A remote unauthorized attacker may gather sensitive information of the application, due to missing authorization of configuration settings of the product.
Severity CVSS v4.0: Pending analysis
Last modification:
29/01/2026

CVE-2025-49183
Publication date:
12/06/2025
All communication with the REST API is unencrypted (HTTP), allowing an attacker to intercept traffic between an actor and the webserver. This leads to the possibility of information gathering and downloading media files.
Severity CVSS v4.0: Pending analysis
Last modification:
29/01/2026

CVE-2025-49182
Publication date:
12/06/2025
Files in the source code contain login credentials for the admin user and the property configuration password, allowing an attacker to get full access to the application.
Severity CVSS v4.0: Pending analysis
Last modification:
29/01/2026

CVE-2025-49181
Publication date:
12/06/2025
Due to missing authorization of an API endpoint, unauthorized users can send HTTP GET<br /> requests to gather sensitive information. An attacker could also send HTTP POST requests to modify<br /> the log files’ root path as well as the TCP ports the service is running on, leading to a Denial of Service<br /> attack.
Severity CVSS v4.0: Pending analysis
Last modification:
03/02/2026

CVE-2024-9512
Publication date:
12/06/2025
An issue has been discovered in GitLab EE affecting all versions prior to 17.10.8, 17.11 prior to 17.11.4, and 18.0 prior to 18.0.2. It may have been possible for private repository to be cloned in case of race condition when a secondary node is out of sync.
Severity CVSS v4.0: Pending analysis
Last modification:
08/08/2025

CVE-2025-6021
Publication date:
12/06/2025
A flaw was found in libxml2&amp;#39;s xmlBuildQName function, where integer overflows in buffer size calculations can lead to a stack-based buffer overflow. This issue can result in memory corruption or a denial of service when processing crafted input.
Severity CVSS v4.0: Pending analysis
Last modification:
06/02/2026
Subscribe to Vulnerabilities