Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-23540
Publication date:
23/01/2025
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mohsin Khan WP Front-end login and register wp-front-end-login-and-register allows Reflected XSS.This issue affects WP Front-end login and register: from n/a through
Severity CVSS v4.0: Pending analysis
Last modification:
23/04/2026

CVE-2025-23541
Publication date:
23/01/2025
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in edmon.parker Download, Downloads ydn-download allows Reflected XSS.This issue affects Download, Downloads : from n/a through
Severity CVSS v4.0: Pending analysis
Last modification:
23/04/2026

CVE-2024-55971
Publication date:
23/01/2025
SQL Injection vulnerability in the default configuration of the Logitime WebClock application
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-0637
Publication date:
23/01/2025
It has been found that the Beta10 software does not provide for proper authorisation control in multiple areas of the application. This deficiency could allow a malicious actor, without authentication, to access private areas and/or areas intended for other roles. The vulnerability has been identified at least in the file or path ‘/app/tools.html’.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2024-52325
Publication date:
23/01/2025
ECOVACS robot lawnmowers and vacuums are vulnerable to command injection via SetNetPin() over an unauthenticated BLE connection.
Severity CVSS v4.0: MEDIUM
Last modification:
23/09/2025

CVE-2024-10846
Publication date:
23/01/2025
The compose-go library component in versions v2.10-v2.4.0 allows an authorized user who sends malicious YAML payloads to cause the compose-go to consume excessive amount of Memory and CPU cycles while parsing YAML, such as used by Docker Compose from versions v2.27.0 to v2.29.7 included
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2024-57947
Publication date:
23/01/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nf_set_pipapo: fix initial map fill<br /> <br /> The initial buffer has to be inited to all-ones, but it must restrict<br /> it to the size of the first field, not the total field size.<br /> <br /> After each round in the map search step, the result and the fill map<br /> are swapped, so if we have a set where f-&gt;bsize of the first element<br /> is smaller than m-&gt;bsize_max, those one-bits are leaked into future<br /> rounds result map.<br /> <br /> This makes pipapo find an incorrect matching results for sets where<br /> first field size is not the largest.<br /> <br /> Followup patch adds a test case to nft_concat_range.sh selftest script.<br /> <br /> Thanks to Stefano Brivio for pointing out that we need to zero out<br /> the remainder explicitly, only correcting memset() argument isn&amp;#39;t enough.
Severity CVSS v4.0: Pending analysis
Last modification:
06/12/2025

CVE-2024-10539
Publication date:
23/01/2025
Improper Neutralization of Input During Web Page Generation (XSS or &amp;#39;Cross-site Scripting&amp;#39;) vulnerability in Uyumsoft Informatin Systems Uyumsoft ERP allows XSS Using Invalid Characters, Reflected XSS.This issue affects Uyumsoft ERP: before Erp4.2109.166p45.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-23006
Publication date:
23/01/2025
Pre-authentication deserialization of untrusted data vulnerability has been identified in the SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC), which in specific conditions could potentially enable a remote unauthenticated attacker to execute arbitrary OS commands.
Severity CVSS v4.0: Pending analysis
Last modification:
31/10/2025

CVE-2024-13389
Publication date:
23/01/2025
The Cliptakes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin&amp;#39;s &amp;#39;cliptakes_input_email&amp;#39; shortcode in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
31/01/2025

CVE-2024-13422
Publication date:
23/01/2025
The SEO Blogger to WordPress Migration using 301 Redirection plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the &amp;#39;url&amp;#39; parameter in all versions up to, and including, 0.4.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity CVSS v4.0: Pending analysis
Last modification:
23/01/2025

CVE-2024-12504
Publication date:
23/01/2025
The Broadcast Live Video – Live Streaming : HTML5, WebRTC, HLS, RTSP, RTMP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin&amp;#39;s &amp;#39;videowhisper_hls&amp;#39; shortcode in all versions up to, and including, 6.1.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
17/07/2025
Subscribe to Vulnerabilities