Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-12558
Publication date:
09/12/2025
The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.9.4 via the 'get_attachment_sizes' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including the path and meta data of private attachments, which can be used to view the attachments.
Severity CVSS v4.0: Pending analysis
Last modification:
11/12/2025

CVE-2025-13031
Publication date:
09/12/2025
The WPeMatico RSS Feed Fetcher WordPress plugin before 2.8.13 does not sanitize and escape some of its settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks
Severity CVSS v4.0: Pending analysis
Last modification:
12/12/2025

CVE-2025-10876
Publication date:
09/12/2025
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Talent Software e-BAP Automation allows Cross-Site Scripting (XSS).This issue affects e-BAP Automation: from 1.8.96 before v.41815.
Severity CVSS v4.0: Pending analysis
Last modification:
07/01/2026

CVE-2025-11022
Publication date:
09/12/2025
Cross-Site Request Forgery (CSRF) vulnerability in Personal Project Panilux allows Cross Site Request Forgery. <br /> <br /> This <br /> <br /> CSRF vulnerability resulting in Command Injection has been identified.<br /> <br /> <br /> <br /> This issue affects Panilux: before v.0.10.0. NOTE: The vendor was contacted and responded that they deny ownership of the mentioned product.
Severity CVSS v4.0: Pending analysis
Last modification:
09/12/2025

CVE-2025-12381
Publication date:
09/12/2025
Improper Privilege Management vulnerability in AlgoSec Firewall Analyzer on Linux, 64 bit allows Privilege Escalation, Parameter Injection.<br /> <br /> A local user with access to the command line may escalate their privileges by abusing the parameters of a command that is approved in the sudoers file. <br /> This issue affects Firewall Analyzer: A33.0, A33.10.
Severity CVSS v4.0: MEDIUM
Last modification:
17/12/2025

CVE-2025-10655
Publication date:
09/12/2025
SQL Injection in Frappe HelpDesk in the dashboard get_dashboard_data due to unsafe concatenation of user-controlled parameters into dynamic SQL statements.This issue affects Frappe HelpDesk: 1.14.0.
Severity CVSS v4.0: HIGH
Last modification:
09/12/2025

CVE-2025-10573
Publication date:
09/12/2025
Stored XSS in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote unauthenticated attacker to execute arbitrary JavaScript in the context of an administrator session. User interaction is required.
Severity CVSS v4.0: Pending analysis
Last modification:
11/12/2025

CVE-2024-56838
Publication date:
09/12/2025
A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions
Severity CVSS v4.0: HIGH
Last modification:
13/01/2026

CVE-2024-56839
Publication date:
09/12/2025
A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions
Severity CVSS v4.0: HIGH
Last modification:
13/01/2026

CVE-2024-56840
Publication date:
09/12/2025
A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions
Severity CVSS v4.0: HIGH
Last modification:
13/01/2026

CVE-2024-56835
Publication date:
09/12/2025
A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions
Severity CVSS v4.0: HIGH
Last modification:
13/01/2026

CVE-2024-56836
Publication date:
09/12/2025
A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions
Severity CVSS v4.0: HIGH
Last modification:
13/01/2026
Subscribe to Vulnerabilities