Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-12869
Publication date:
12/11/2025
The a+HRD developed by aEnrich has a Stored Cross-Site Scripting vulnerability, allowing remote attackers with administrator privileges to inject persistent JavaScript codes that are executed in users' browsers upon page load.
Severity CVSS v4.0: MEDIUM
Last modification:
18/11/2025

CVE-2025-12870
Publication date:
12/11/2025
The a+HRD developed by aEnrich has an Authentication Abuse vulnerability, allowing unauthenticated remote attackers to send crafted packets to obtain administrator access tokens and use them to access the system with elevated privileges.
Severity CVSS v4.0: CRITICAL
Last modification:
18/11/2025

CVE-2025-12018
Publication date:
12/11/2025
The MembershipWorks – Membership, Events & Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 6.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Severity CVSS v4.0: Pending analysis
Last modification:
12/11/2025

CVE-2025-12113
Publication date:
12/11/2025
The Alt Text Generator AI – Auto Generate & Bulk Update Alt Texts For Images plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the atgai_delete_api_key() function in all versions up to, and including, 1.8.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the API key connected to the site.
Severity CVSS v4.0: Pending analysis
Last modification:
12/11/2025

CVE-2025-11560
Publication date:
12/11/2025
The Team Members Showcase WordPress plugin before 3.5.0 does not sanitize and escape a parameter before outputting it back in the page, leading to reflected cross-site scripting, which could be used against high-privilege users such as admins.
Severity CVSS v4.0: Pending analysis
Last modification:
19/12/2025

CVE-2025-12901
Publication date:
12/11/2025
The Asgaros Forum plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.1. This is due to missing nonce validation on the set_subscription_level() function. This makes it possible for unauthenticated attackers to modify the subscription settings of authenticated users via a forged request granted they can trick a logged-in user into performing an action such as clicking on a link.
Severity CVSS v4.0: Pending analysis
Last modification:
12/11/2025

CVE-2025-12833
Publication date:
12/11/2025
The GeoDirectory – WP Business Directory Plugin and Classified Listings Directory plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.8.139 via the 'post_attachment_upload' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author-level access and above, to attach arbitrary image files to arbitrary places.
Severity CVSS v4.0: Pending analysis
Last modification:
12/11/2025

CVE-2025-12087
Publication date:
12/11/2025
The Wishlist and Save for later for Woocommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.22 via the 'awwlm_remove_added_wishlist_page' AJAX action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete wishlist items from other user's wishlists.
Severity CVSS v4.0: Pending analysis
Last modification:
12/11/2025

CVE-2025-54983
Publication date:
12/11/2025
A health check port on Zscaler Client Connector on Windows, versions 4.6
Severity CVSS v4.0: Pending analysis
Last modification:
12/11/2025

CVE-2025-40111
Publication date:
12/11/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/vmwgfx: Fix Use-after-free in validation<br /> <br /> Nodes stored in the validation duplicates hashtable come from an arena<br /> allocator that is cleared at the end of vmw_execbuf_process. All nodes<br /> are expected to be cleared in vmw_validation_drop_ht but this node escaped<br /> because its resource was destroyed prematurely.
Severity CVSS v4.0: Pending analysis
Last modification:
12/11/2025

CVE-2025-40110
Publication date:
12/11/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/vmwgfx: Fix a null-ptr access in the cursor snooper<br /> <br /> Check that the resource which is converted to a surface exists before<br /> trying to use the cursor snooper on it.<br /> <br /> vmw_cmd_res_check allows explicit invalid (SVGA3D_INVALID_ID) identifiers<br /> because some svga commands accept SVGA3D_INVALID_ID to mean "no surface",<br /> unfortunately functions that accept the actual surfaces as objects might<br /> (and in case of the cursor snooper, do not) be able to handle null<br /> objects. Make sure that we validate not only the identifier (via the<br /> vmw_cmd_res_check) but also check that the actual resource exists before<br /> trying to do something with it.<br /> <br /> Fixes unchecked null-ptr reference in the snooping code.
Severity CVSS v4.0: Pending analysis
Last modification:
11/01/2026

CVE-2025-43205
Publication date:
12/11/2025
An out-of-bounds access issue was addressed with improved bounds checking. This issue is fixed in watchOS 11.4, tvOS 18.4, visionOS 2.4, iOS 18.4 and iPadOS 18.4. An app may be able to bypass ASLR.
Severity CVSS v4.0: Pending analysis
Last modification:
14/11/2025
Subscribe to Vulnerabilities