Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-65934
Publication date:
19/11/2025
Rejected reason: Not used
Severity CVSS v4.0: Pending analysis
Last modification:
19/11/2025

CVE-2025-65935
Publication date:
19/11/2025
Rejected reason: Not used
Severity CVSS v4.0: Pending analysis
Last modification:
19/11/2025

CVE-2025-65936
Publication date:
19/11/2025
Rejected reason: Not used
Severity CVSS v4.0: Pending analysis
Last modification:
19/11/2025

CVE-2025-65937
Publication date:
19/11/2025
Rejected reason: Not used
Severity CVSS v4.0: Pending analysis
Last modification:
19/11/2025

CVE-2025-65938
Publication date:
19/11/2025
Rejected reason: Not used
Severity CVSS v4.0: Pending analysis
Last modification:
19/11/2025

CVE-2025-65939
Publication date:
19/11/2025
Rejected reason: Not used
Severity CVSS v4.0: Pending analysis
Last modification:
19/11/2025

CVE-2025-12777
Publication date:
19/11/2025
The YITH WooCommerce Wishlist plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.10.0. This is due to the plugin not properly verifying that a user is authorized to perform actions on the REST API /wp-json/yith/wishlist/v1/lists endpoint (which uses permission_callback => '__return_true') and the AJAX delete_item handler (which only checks nonce validity without verifying object-level authorization). This makes it possible for unauthenticated attackers to disclose wishlist tokens for any user and subsequently delete wishlist items by chaining the REST API authorization bypass with the exposed delete_item nonce on shared wishlist pages and the AJAX handler's missing object-level authorization check.
Severity CVSS v4.0: Pending analysis
Last modification:
19/11/2025

CVE-2025-13051
Publication date:
19/11/2025
When the service of ABP and AES is installed in a directory writable by non-administrative users, an attacker can replace or plant a DLL with the same name as one loaded by the service. Upon service restart, the malicious DLL is loaded and executed under the LocalSystem account, resulting in unauthorized code execution with elevated privileges.<br /> This issue affects ABP and AES: from ABP 2.0 through 2.0.7.9050, from AES 1.0 through 1.0.6.8290.
Severity CVSS v4.0: CRITICAL
Last modification:
19/11/2025

CVE-2025-12427
Publication date:
19/11/2025
The YITH WooCommerce Wishlist plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.10.0 via the REST API endpoint and AJAX handler due to missing validation on user-controlled keys. This makes it possible for unauthenticated attackers to discover any user&amp;#39;s wishlist token ID, and subsequently rename the victim&amp;#39;s wishlist without authorization (integrity impact). This can be exploited to target multi-user stores for defacement, social engineering attacks, mass tampering, and profiling at scale.
Severity CVSS v4.0: Pending analysis
Last modification:
19/11/2025

CVE-2025-12770
Publication date:
19/11/2025
The New User Approve plugin for WordPress is vulnerable to unauthorized data disclosure in all versions up to, and including, 3.0.9 due to insufficient API key validation using loose equality comparison. This makes it possible for unauthenticated attackers to retrieve personally identifiable information (PII), including usernames and email addresses of users with various approval statuses via the Zapier REST API endpoints, by exploiting PHP type juggling with the api_key parameter set to "0" on sites where the Zapier API key has not been configured.
Severity CVSS v4.0: Pending analysis
Last modification:
19/11/2025

CVE-2025-13225
Publication date:
19/11/2025
Tanium addressed an arbitrary file deletion vulnerability in TanOS.
Severity CVSS v4.0: Pending analysis
Last modification:
08/01/2026

CVE-2025-12852
Publication date:
19/11/2025
DLL Loading vulnerability in NEC Corporation RakurakuMusen Start EX All Verisons allows a attacker to manipulate the PC environment to cause unintended operations on the user&amp;#39;s device.
Severity CVSS v4.0: HIGH
Last modification:
19/11/2025
Subscribe to Vulnerabilities