Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-46729
Publication date:
12/05/2025
julmud/phpDVDProfiler is an adoption of the defunct phpDVDProfiler project, which allows users to display on the web their DVD collections maintained with Invelos's DVDProfiler software. Starting in v_20230807 and prior to v_20250511, cross-site scripting in the search function. v_20250511 contains a patch for the issue.
Severity CVSS v4.0: LOW
Last modification:
12/05/2025

CVE-2025-22247
Publication date:
12/05/2025
VMware Tools contains an insecure file handling vulnerability. A malicious actor with non-administrative privileges on a guest VM may tamper the local files to trigger insecure file operations within that VM.
Severity CVSS v4.0: Pending analysis
Last modification:
18/11/2025

CVE-2025-1533
Publication date:
12/05/2025
A stack buffer overflow has been identified in the AsIO3.sys driver. This vulnerability can be triggered by input manipulation, may leading to a system crash (BSOD) or other potentially undefined execution.<br /> Refer to the &amp;#39;Security Update for Armoury Crate App&amp;#39; section on the ASUS Security Advisory for more information.
Severity CVSS v4.0: HIGH
Last modification:
12/05/2025

CVE-2025-3496
Publication date:
12/05/2025
An unauthenticated remote attacker can cause a buffer overflow which could lead to unexpected behaviour or DoS via Bluetooth or RS-232 interface.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2025

CVE-2025-41393
Publication date:
12/05/2025
Reflected cross-site scripting vulnerability exists in the laser printers and MFPs (multifunction printers) which implement Ricoh Web Image Monitor. If exploited, an arbitrary script may be executed on the web browser of the user who accessed Web Image Monitor. As for the details of affected product names and versions, refer to the information provided by the vendors under [References].
Severity CVSS v4.0: MEDIUM
Last modification:
14/07/2025

CVE-2025-4561
Publication date:
12/05/2025
The KFOX from KingFor has an Arbitrary File Upload vulnerability, allowing remote attackers with regular privilege to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.
Severity CVSS v4.0: HIGH
Last modification:
12/05/2025

CVE-2025-4560
Publication date:
12/05/2025
The ISOinsight from Netvision has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to access certain system functions. These functions include viewing the administrator list, viewing and editing IP settings, and uploading files.
Severity CVSS v4.0: MEDIUM
Last modification:
12/05/2025

CVE-2025-3649
Publication date:
12/05/2025
The LightPress Lightbox WordPress plugin before 2.3.4 does not check download links point to valid, non-Javascript URLs, allowing users with at least the contributor role to conduct Stored XSS attacks.
Severity CVSS v4.0: Pending analysis
Last modification:
05/06/2025

CVE-2025-4559
Publication date:
12/05/2025
The ISOinsight from Netvision has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.
Severity CVSS v4.0: CRITICAL
Last modification:
12/05/2025

CVE-2025-3597
Publication date:
12/05/2025
The Firelight Lightbox WordPress plugin before 2.3.15 does not prevent users with post writing capabilities from executing arbitrary Javascript when the jQuery Metadata library is enabled. While this feature is meant to only be available to Pro version users, it can be activated in the free version too, making it theoretically exploitable there as well.
Severity CVSS v4.0: Pending analysis
Last modification:
05/06/2025

CVE-2025-4558
Publication date:
12/05/2025
The GPM from WormHole Tech has an Unverified Password Change vulnerability, allowing unauthenticated remote attackers to change any user&amp;#39;s password and use the modified password to log into the system.
Severity CVSS v4.0: CRITICAL
Last modification:
12/05/2025

CVE-2025-4556
Publication date:
12/05/2025
The web management interface of Okcat Parking Management Platform from ZONG YU has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.
Severity CVSS v4.0: CRITICAL
Last modification:
12/05/2025
Subscribe to Vulnerabilities