Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-40635
Publication date:
20/05/2025
SQL injection vulnerability in Comerzzia Backoffice: Sales Orchestrator 3.0.15. This vulnerability allows an attacker to retrieve, create, update and delete databases via the ‘uidActivity’, ‘codCompany’ and ‘uidInstance’ parameters of the ‘/comerzzia/login’ endpoint.
Severity CVSS v4.0: CRITICAL
Last modification:
21/05/2025

CVE-2025-41229
Publication date:
20/05/2025
VMware Cloud Foundation contains a directory traversal vulnerability. A malicious actor with network access to port 443 on VMware Cloud Foundation may exploit this issue to access certain internal services.
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2025

CVE-2025-41230
Publication date:
20/05/2025
VMware Cloud Foundation contains an information disclosure vulnerability. A malicious actor with network access to port 443 on VMware Cloud Foundation may exploit this issue to gain access to sensitive information.
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2025

CVE-2025-30193
Publication date:
20/05/2025
In some circumstances, when DNSdist is configured to allow an unlimited number of queries on a single, incoming TCP connection from a client, an attacker can cause a denial of service by crafting a TCP exchange that triggers an exhaustion of the stack and a crash of DNSdist, causing a denial of service.<br /> <br /> The remedy is: upgrade to the patched 1.9.10 version.<br /> <br /> A workaround is to restrict the maximum number of queries on incoming TCP connections to a safe value, like 50, via the setMaxTCPQueriesPerConnection setting.<br /> <br /> We would like to thank Renaud Allard for bringing this issue to our attention.
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2025

CVE-2025-40633
Publication date:
20/05/2025
A Stored Cross-Site Scripting (XSS) vulnerability has been found in <br /> Koibox for versions prior to e8cbce2. This vulnerability allows an <br /> authenticated attacker to upload an image containing malicious <br /> JavaScript code as profile picture in the <br /> &amp;#39;/es/dashboard/clientes/ficha/&amp;#39; endpoint
Severity CVSS v4.0: MEDIUM
Last modification:
21/05/2025

CVE-2025-40634
Publication date:
20/05/2025
Stack-based buffer overflow vulnerability in the &amp;#39;conn-indicator&amp;#39; binary running as root on the TP-Link Archer AX50 router, in firmware versions prior to 1.0.15 build 241203 rel61480. This vulnerability allows an attacker to execute arbitrary code on the device over LAN and WAN networks.
Severity CVSS v4.0: CRITICAL
Last modification:
21/05/2025

CVE-2025-37892
Publication date:
20/05/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mtd: inftlcore: Add error check for inftl_read_oob()<br /> <br /> In INFTL_findwriteunit(), the return value of inftl_read_oob()<br /> need to be checked. A proper implementation can be<br /> found in INFTL_deleteblock(). The status will be set as<br /> SECTOR_IGNORE to break from the while-loop correctly<br /> if the inftl_read_oob() fails.
Severity CVSS v4.0: Pending analysis
Last modification:
12/11/2025

CVE-2025-4951
Publication date:
20/05/2025
Editions of Rapid7 AppSpider Pro before version 7.5.018 is vulnerable to a stored cross-site scripting vulnerability in the "ScanName" field.<br /> Despite the application preventing the inclusion of special characters within the "ScanName" field, this could be bypassed by modifying the configuration file directly.<br /> <br /> This is fixed as of version 7.5.018
Severity CVSS v4.0: Pending analysis
Last modification:
11/12/2025

CVE-2024-5878
Publication date:
20/05/2025
Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin&amp;#39;s bundled SimpleLightbox JavaScript library (version 2.1.5) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2025

CVE-2025-2929
Publication date:
20/05/2025
The Order Delivery Date WordPress plugin before 12.4.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
Severity CVSS v4.0: Pending analysis
Last modification:
12/06/2025

CVE-2025-4322
Publication date:
20/05/2025
The Motors theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.6.67. This is due to the theme not properly validating a user&amp;#39;s identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user passwords, including those of administrators, and leverage that to gain access to their account.
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2025

CVE-2025-3079
Publication date:
20/05/2025
A passback vulnerability which relates to office/small office multifunction printers and laser printers.
Severity CVSS v4.0: MEDIUM
Last modification:
21/05/2025
Subscribe to Vulnerabilities