Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-52667
Publication date:
20/11/2025
Missing JSON Content-Type header in a script in Revive Adserver 6.0.1 and 5.5.2 and earlier versions causes a stored XSS attack to be possible for a logged in manager user.
Severity CVSS v4.0: Pending analysis
Last modification:
02/12/2025

CVE-2025-52666
Publication date:
20/11/2025
Improper neutralisation of format characters in the settings of Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes an administrator user to disable the admin user console due to a fatal PHP error.
Severity CVSS v4.0: Pending analysis
Last modification:
02/12/2025

CVE-2025-35029
Publication date:
20/11/2025
Medical Informatics Engineering Enterprise Health has a stored cross site scripting vulnerability that allows an authenticated attacker to add arbitrary content in the 'Demographic Information' page. This content will be rendered and executed when a victim accesses it. This issue is fixed as of 2025-03-14.
Severity CVSS v4.0: MEDIUM
Last modification:
31/12/2025

CVE-2025-63700
Publication date:
20/11/2025
Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: none. Reason: This record was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
Severity CVSS v4.0: Pending analysis
Last modification:
23/12/2025

CVE-2025-55127
Publication date:
20/11/2025
HackerOne community member Dao Hoang Anh (yoyomiski) has reported an improper neutralization of whitespace in the username when adding new users. A username with leading or trailing whitespace could be virtually indistinguishable from its legitimate counterpart when the username is displayed in the UI, potentially leading to confusion.
Severity CVSS v4.0: Pending analysis
Last modification:
21/11/2025

CVE-2025-55128
Publication date:
20/11/2025
HackerOne community member Dang Hung Vi (vidang04) has reported an uncontrolled resource consumption vulnerability in the “userlog-index.php”. An attacker with access to the admin interface could request an arbitrarily large number of items per page, potentially leading to a denial of service.
Severity CVSS v4.0: Pending analysis
Last modification:
02/12/2025

CVE-2025-55126
Publication date:
20/11/2025
HackerOne community member Dang Hung Vi (vidang04) has reported a stored XSS vulnerability involving the navigation box at the top of advertiser-related pages, with campaign names being the vector for the stored XSS
Severity CVSS v4.0: Pending analysis
Last modification:
01/12/2025

CVE-2025-10571
Publication date:
20/11/2025
Authentication Bypass Using an Alternate Path or Channel vulnerability in ABB ABB Ability Edgenius.This issue affects ABB Ability Edgenius: 3.2.0.0, 3.2.1.1.
Severity CVSS v4.0: CRITICAL
Last modification:
21/11/2025

CVE-2025-63889
Publication date:
20/11/2025
The fetch function in file thinkphp\library\think\Template.php in ThinkPHP 5.0.24 allows attackers to read arbitrary files via crafted file path in a template value.
Severity CVSS v4.0: Pending analysis
Last modification:
25/11/2025

CVE-2025-64524
Publication date:
20/11/2025
cups-filters contains backends, filters, and other software required to get the cups printing service working on operating systems other than macos. In versions 2.0.1 and prior, a heap-buffer-overflow vulnerability in the rastertopclx filter causes the program to crash with a segmentation fault when processing maliciously crafted input data. This issue can be exploited to trigger memory corruption, potentially leading to arbitrary code execution. This issue has been patched via commit 956283c.
Severity CVSS v4.0: Pending analysis
Last modification:
15/12/2025

CVE-2025-63888
Publication date:
20/11/2025
The read function in file thinkphp\library\think\template\driver\File.php in ThinkPHP 5.0.24 contains a remote code execution vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
25/11/2025

CVE-2025-64185
Publication date:
20/11/2025
Open OnDemand is an open-source HPC portal. Prior to versions 4.0.8 and 3.1.16, Open OnDemand packages create world writable locations in the GEM_PATH. Open OnDemand versions 4.0.8 and 3.1.16 have been patched for this vulnerability.
Severity CVSS v4.0: MEDIUM
Last modification:
21/11/2025
Subscribe to Vulnerabilities