Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-11283
Publication date:
14/03/2025
The WP JobHunt plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.1. This is due to wp_ajax_google_api_login_callback function not properly verifying a user's identity prior to authenticating them. This makes it possible for unauthenticated attackers to access arbitrary candidate accounts.
Severity CVSS v4.0: Pending analysis
Last modification:
08/07/2025

CVE-2025-30022
Publication date:
14/03/2025
CM Soluces Informatica Ltda Auto Atendimento 1.x.x was discovered to contain a SQL injection via the DATANASC parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
03/04/2025

CVE-2025-26163
Publication date:
14/03/2025
CM Soluces Informatica Ltda Auto Atendimento 1.x.x was discovered to contain a SQL injection via the CPF parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
03/04/2025

CVE-2024-55549
Publication date:
14/03/2025
xsltGetInheritedNsList in libxslt before 1.1.43 has a use-after-free issue related to exclusion of result prefixes.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2025-24855
Publication date:
14/03/2025
numbers.c in libxslt before 1.1.43 has a use-after-free because, in nested XPath evaluations, an XPath context node can be modified but never restored. This is related to xsltNumberFormatGetValue, xsltEvalXPathPredicate, xsltEvalXPathStringNs, and xsltComputeSortResultInternal.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2025-1266
Publication date:
13/03/2025
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Severity CVSS v4.0: Pending analysis
Last modification:
13/03/2025

CVE-2024-55060
Publication date:
13/03/2025
A cross-site scripting (XSS) vulnerability in the component index.php of Rafed CMS Website v1.44 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
Severity CVSS v4.0: Pending analysis
Last modification:
03/04/2025

CVE-2025-27496
Publication date:
13/03/2025
Snowflake, a platform for using artificial intelligence in the context of cloud computing, has a vulnerability in the Snowflake JDBC driver ("Driver") in versions 3.0.13 through 3.23.0 of the driver. When the logging level was set to DEBUG, the Driver would log locally the client-side encryption master key of the target stage during the execution of GET/PUT commands. This key by itself does not grant access to any sensitive data without additional access authorizations, and is not logged server-side by Snowflake. Snowflake fixed the issue in version 3.23.1.
Severity CVSS v4.0: Pending analysis
Last modification:
22/08/2025

CVE-2025-2229
Publication date:
13/03/2025
A token is created using the username, current date/time, and a fixed <br /> AES-128 encryption key, which is the same across all installations.
Severity CVSS v4.0: HIGH
Last modification:
13/03/2025

CVE-2025-2230
Publication date:
13/03/2025
A flaw exists in the Windows login flow where an AuthContext token can <br /> be exploited for replay attacks and authentication bypass.
Severity CVSS v4.0: HIGH
Last modification:
13/03/2025

CVE-2025-25363
Publication date:
13/03/2025
An authenticated stored cross-site scripting (XSS) vulnerability in The Plugin People Enterprise Mail Handler for Jira Data Center (JEMH) before v4.1.69-dc allows attackers with Administrator privileges to execute arbitrary Javascript in context of a user&amp;#39;s browser via injecting a crafted payload into the HTML field of a template.
Severity CVSS v4.0: Pending analysis
Last modification:
03/04/2025

CVE-2025-25598
Publication date:
13/03/2025
Incorrect access control in the scheduled tasks console of Inova Logic CUSTOMER MONITOR (CM) v3.1.757.1 allows attackers to escalate privileges via placing a crafted executable into a scheduled task.
Severity CVSS v4.0: Pending analysis
Last modification:
03/04/2025
Subscribe to Vulnerabilities