Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-49194
Publication date:
12/06/2025
The server supports authentication methods in which credentials are sent in plaintext over unencrypted channels. If an attacker were to intercept traffic between a client and this server, the credentials would be exposed.
Severity CVSS v4.0: Pending analysis
Last modification:
26/01/2026

CVE-2025-49193
Publication date:
12/06/2025
The application fails to implement several security headers. These headers help increase the overall security level of the web application by e.g., preventing the application to be displayed in an iFrame (Clickjacking attacks) or not executing injected malicious JavaScript code (XSS attacks).
Severity CVSS v4.0: Pending analysis
Last modification:
26/01/2026

CVE-2024-56158
Publication date:
12/06/2025
XWiki is a generic wiki platform. It's possible to execute any SQL query in Oracle by using the function like DBMS_XMLGEN or DBMS_XMLQUERY. The XWiki query validator does not sanitize functions that would be used in a simple select and Hibernate allows using any native function in an HQL query. This vulnerability is fixed in 16.10.2, 16.4.7, and 15.10.16.
Severity CVSS v4.0: CRITICAL
Last modification:
12/01/2026

CVE-2025-49186
Publication date:
12/06/2025
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it susceptible to brute-force attacks.
Severity CVSS v4.0: Pending analysis
Last modification:
03/02/2026

CVE-2025-49189
Publication date:
12/06/2025
The HttpOnlyflag of the session cookie \"@@\" is set to false. Since this flag helps preventing access to cookies via client-side scripts, setting the flag to false can lead to a higher possibility of Cross-Side-Scripting attacks which target the stored cookies.
Severity CVSS v4.0: Pending analysis
Last modification:
06/02/2026

CVE-2025-49191
Publication date:
12/06/2025
Linked URLs during the creation of iFrame widgets and dashboards are vulnerable to code execution. The URLs get embedded as iFrame widgets, making it possible to attack other users that access the dashboard by including malicious code. The attack is only possible if the attacker is authorized to create new dashboards or iFrame widgets.
Severity CVSS v4.0: Pending analysis
Last modification:
29/01/2026

CVE-2025-49188
Publication date:
12/06/2025
The application sends user credentials as URL parameters instead of POST bodies, making it vulnerable to information gathering.
Severity CVSS v4.0: Pending analysis
Last modification:
29/01/2026

CVE-2025-49190
Publication date:
12/06/2025
The application is vulnerable to Server-Side Request Forgery (SSRF). An endpoint can be used to send server internal requests to other ports.
Severity CVSS v4.0: Pending analysis
Last modification:
29/01/2026

CVE-2025-49187
Publication date:
12/06/2025
For failed login attempts, the application returns different error messages depending on whether the login failed due to an incorrect password or a non-existing username. This allows an attacker to guess usernames until they find an existing one.
Severity CVSS v4.0: Pending analysis
Last modification:
29/01/2026

CVE-2025-49181
Publication date:
12/06/2025
Due to missing authorization of an API endpoint, unauthorized users can send HTTP GET<br /> requests to gather sensitive information. An attacker could also send HTTP POST requests to modify<br /> the log files’ root path as well as the TCP ports the service is running on, leading to a Denial of Service<br /> attack.
Severity CVSS v4.0: Pending analysis
Last modification:
03/02/2026

CVE-2025-49185
Publication date:
12/06/2025
The web application is susceptible to cross-site-scripting attacks. An attacker who can create new dashboard widgets can inject malicious JavaScript code into the Transform Function which will be executed when the widget receives data from its data source.
Severity CVSS v4.0: Pending analysis
Last modification:
29/01/2026

CVE-2025-49184
Publication date:
12/06/2025
A remote unauthorized attacker may gather sensitive information of the application, due to missing authorization of configuration settings of the product.
Severity CVSS v4.0: Pending analysis
Last modification:
29/01/2026
Subscribe to Vulnerabilities