Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-5117
Publication date:
27/05/2025
The Property plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the use of the property_package_user_role metadata in versions 1.0.5 to 1.0.6. This makes it possible for authenticated attackers, with Author‐level access and above, to elevate their privileges to that of an administrator by creating a package post whose property_package_user_role is set to administrator and then submitting the PayPal registration form.
Severity CVSS v4.0: Pending analysis
Last modification:
28/05/2025

CVE-2025-4412
Publication date:
27/05/2025
On macOS systems, by utilizing a Launch Agent and loading the viscosity_openvpn process from the application bundle, it is possible to load a dynamic library with Viscosity&amp;#39;s TCC (Transparency, Consent, and Control) identity. The acquired resource access is limited without entitlements such as access to the camera or microphone. Only user-granted permissions for file resources apply. Access to other resources beyond granted-permissions requires user interaction with a system prompt asking for permission.<br /> <br /> This issue was fixed in version 1.11.5 of Viscosity.
Severity CVSS v4.0: MEDIUM
Last modification:
28/05/2025

CVE-2025-41649
Publication date:
27/05/2025
An unauthenticated remote attacker can exploit insufficient input validation to write data beyond the bounds of a buffer, potentially leading to a denial-of-service condition for the devices.
Severity CVSS v4.0: Pending analysis
Last modification:
28/05/2025

CVE-2025-41650
Publication date:
27/05/2025
An unauthenticated remote attacker can exploit input validation in cmd services of the devices, allowing them to disrupt system operations and potentially cause a denial-of-service.
Severity CVSS v4.0: Pending analysis
Last modification:
28/05/2025

CVE-2025-41651
Publication date:
27/05/2025
Due to missing authentication on a critical function of the devices an unauthenticated remote attacker can execute arbitrary commands, potentially enabling unauthorized upload or download of configuration files and leading to full system compromise.
Severity CVSS v4.0: Pending analysis
Last modification:
28/05/2025

CVE-2025-41652
Publication date:
27/05/2025
The devices are vulnerable to an authentication bypass due to flaws in the authorization mechanism. An unauthenticated remote attacker could exploit this weakness by performing brute-force attacks to guess valid credentials or by using MD5 collision techniques to forge authentication hashes, potentially compromising the device.
Severity CVSS v4.0: Pending analysis
Last modification:
22/08/2025

CVE-2025-41653
Publication date:
27/05/2025
An unauthenticated remote attacker can exploit a denial-of-service vulnerability in the device&amp;#39;s web server functionality by sending a specially crafted HTTP request with a malicious header, potentially causing the server to crash or become unresponsive.
Severity CVSS v4.0: Pending analysis
Last modification:
28/05/2025

CVE-2025-23393
Publication date:
27/05/2025
A Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in  spacewalk-java allows execution of arbitrary Javascript code on users machines.This issue affects Container suse/manager/5.0/x86_64/server:5.0.4.7.19.1: from ? before 5.0.24-150600.3.25.1; SUSE Manager Server Module 4.3: from ? before 4.3.85-150400.3.105.3.
Severity CVSS v4.0: MEDIUM
Last modification:
28/05/2025

CVE-2025-2407
Publication date:
27/05/2025
Missing Authentication &amp; Authorization in Web-API in Mobatime AMX MTAPI v6 on IIS allows adversaries to unrestricted access via the network. The vulnerability is fixed in Version 1.5.
Severity CVSS v4.0: CRITICAL
Last modification:
28/05/2025

CVE-2024-47090
Publication date:
27/05/2025
Improper neutralization of input in Nagvis before version 1.9.47 which can lead to XSS
Severity CVSS v4.0: MEDIUM
Last modification:
03/11/2025

CVE-2024-38866
Publication date:
27/05/2025
Improper neutralization of input in Nagvis before version 1.9.47 which can lead to livestatus injection
Severity CVSS v4.0: MEDIUM
Last modification:
03/11/2025

CVE-2025-48382
Publication date:
27/05/2025
Fess is a deployable Enterprise Search Server. Prior to version 14.19.2, the createTempFile() method in org.codelibs.fess.helper.SystemHelper creates temporary files without explicitly setting restrictive permissions. This could lead to potential information disclosure, allowing unauthorized local users to access sensitive data contained in these files. This issue primarily affects environments where Fess is deployed in a shared or multi-user context. Typical single-user or isolated deployments have minimal or negligible practical impact. This issue has been patched in version 14.19.2. A workaround for this issue involves ensuring local access to the environment running Fess is restricted to trusted users only.
Severity CVSS v4.0: LOW
Last modification:
26/08/2025
Subscribe to Vulnerabilities