Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-47445
Publication date:
14/05/2025
Relative Path Traversal vulnerability in Themewinter Eventin allows Path Traversal.This issue affects Eventin: from n/a through 4.0.26.
Severity CVSS v4.0: Pending analysis
Last modification:
16/05/2025

CVE-2025-3769
Publication date:
14/05/2025
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.92 via the 'view_booking_summary_in_lightbox' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to retrieve appointment details such as customer names and email addresses.
Severity CVSS v4.0: Pending analysis
Last modification:
16/05/2025

CVE-2025-4430
Publication date:
14/05/2025
Unauthorized access to "/api/Token/gettoken" endpoint in EZD RP allows file manipulation.This issue affects EZD RP in versions before 20.19 (published on 22nd August 2024).
Severity CVSS v4.0: HIGH
Last modification:
16/05/2025

CVE-2025-47292
Publication date:
14/05/2025
Cap Collectif is an online decision making platform that integrates several tools. Before commit 812f2a7d271b76deab1175bdaf2be0b8102dd198, the `DebateAlternateArgumentsResolver` deserializes a `Cursor`, allowing any classes and which can be controlled by unauthenticated user. Exploitation of this vulnerability can lead to Remote Code Execution. The vulnerability is fixed in commit 812f2a7d271b76deab1175bdaf2be0b8102dd198.
Severity CVSS v4.0: CRITICAL
Last modification:
16/05/2025

CVE-2025-3834
Publication date:
14/05/2025
Zohocorp ManageEngine ADAudit Plus versions 8510 and prior are vulnerable to authenticated SQL injection in the OU History report.
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2025

CVE-2025-3833
Publication date:
14/05/2025
Zohocorp ManageEngine ADSelfService Plus versions 6513 and prior are vulnerable to authenticated SQL injection in the MFA reports.
Severity CVSS v4.0: Pending analysis
Last modification:
16/05/2025

CVE-2025-26864
Publication date:
14/05/2025
Exposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File vulnerability in the OpenIdAuthorizer of Apache IoTDB.<br /> <br /> This issue affects Apache IoTDB: from 0.10.0 through 1.3.3, from 2.0.1-beta before 2.0.2.<br /> <br /> Users are recommended to upgrade to version 1.3.4 and 2.0.2, which fix the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
01/07/2025

CVE-2025-26795
Publication date:
14/05/2025
Exposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File vulnerability in Apache IoTDB JDBC driver.<br /> <br /> This issue affects iotdb-jdbc: from 0.10.0 through 1.3.3, from 2.0.1-beta before 2.0.2.<br /> <br /> Users are recommended to upgrade to version 2.0.2 and 1.3.4, which fix the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
11/07/2025

CVE-2024-24780
Publication date:
14/05/2025
Remote Code Execution with untrusted URI of UDF vulnerability in Apache IoTDB. The attacker who has privilege to create UDF can register malicious function from untrusted URI.<br /> <br /> This issue affects Apache IoTDB: from 1.0.0 before 1.3.4.<br /> <br /> Users are recommended to upgrade to version 1.3.4, which fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
01/07/2025

CVE-2025-2875
Publication date:
14/05/2025
CWE-610: Externally Controlled Reference to a Resource in Another Sphere vulnerability exists that could<br /> cause a loss of confidentiality when an unauthenticated attacker manipulates controller’s webserver URL to<br /> access resources.
Severity CVSS v4.0: HIGH
Last modification:
16/05/2025

CVE-2024-8988
Publication date:
14/05/2025
The PeepSo Core: File Uploads plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.4.6.0 via the file_download REST API endpoint due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to download files uploaded by others users and expose potentially sensitive information.
Severity CVSS v4.0: Pending analysis
Last modification:
16/05/2025

CVE-2024-13940
Publication date:
14/05/2025
The Ninja Forms Webhooks plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.0.7 via the form webhook functionality. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Severity CVSS v4.0: Pending analysis
Last modification:
16/05/2025
Subscribe to Vulnerabilities