Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-12628
Publication date:
24/11/2025
The WP 2FA WordPress plugin does not generate backup codes with enough entropy, which could allow attackers to bypass the second factor by brute forcing them
Severity CVSS v4.0: Pending analysis
Last modification:
25/11/2025

CVE-2025-41087
Publication date:
24/11/2025
Cross-Site Scripting (XSS) vulnerability stored in tha Taclia web application, where the uploaded SVG images are not properly sanitized. This allows to the attackers to embed malicious scripts in SVG files such as image profiles, which are then stored on the server and executed in the context of any user who accesses the compromised resource.
Severity CVSS v4.0: MEDIUM
Last modification:
25/11/2025

CVE-2025-41729
Publication date:
24/11/2025
An unauthenticated remote attacker can send a specially crafted Modbus read command to the device which leads to a denial of service.
Severity CVSS v4.0: Pending analysis
Last modification:
25/11/2025

CVE-2025-12740
Publication date:
24/11/2025
A Looker user with a Developer role could create a database connection using IBM DB2 driver and, by manipulating LookML, cause Looker to execute a malicious command, due to inadequate filtering of the driver&amp;#39;s parameters.<br /> <br /> Looker-hosted and Self-hosted were found to be vulnerable.<br /> This issue has already been mitigated for Looker-hosted instances. No user action is required for these.<br /> <br /> <br /> Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted.<br /> The versions below have all been updated to protect from this vulnerability. You can download these versions at the Looker download page https://download.looker.com/ :<br /> * 25.0.93+<br /> * 25.6.84+<br /> <br /> * 25.12.42+<br /> * 25.14.50+<br /> * 25.16.44+
Severity CVSS v4.0: HIGH
Last modification:
25/11/2025

CVE-2025-12741
Publication date:
24/11/2025
A Looker user with Developer role could create a database connection using Denodo driver and, by manipulating LookML, cause Looker to execute a malicious command.<br /> <br /> Looker-hosted and Self-hosted were found to be vulnerable.<br /> This issue has already been mitigated for Looker-hosted instances. No user action is required for these.<br /> <br /> <br /> Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted.<br /> The versions below have all been updated to protect from this vulnerability. You can download these versions at the Looker download page https://download.looker.com/ :<br /> * 24.12.108+<br /> * 24.18.200+<br /> * 25.0.78+<br /> * 25.6.65+<br /> * 25.8.47+<br /> * 25.12.10+<br /> * 25.14+
Severity CVSS v4.0: HIGH
Last modification:
25/11/2025

CVE-2025-12739
Publication date:
24/11/2025
An attacker with viewer permissions in Looker could craft a malicious URL that, when opened by a Looker admin, would execute an attacker-supplied script. Exploitation required at least one Looker extension installed on the instance.<br /> <br /> Looker-hosted and Self-hosted were found to be vulnerable.<br /> This issue has already been mitigated for Looker-hosted instances. No user action is required for these.<br /> <br /> <br /> Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted.<br /> The versions below have all been updated to protect from this vulnerability. You can download these versions at the Looker download page https://download.looker.com/ : * 24.18.201+<br /> * 25.0.79+<br /> * 25.6.66+<br /> * 25.12.7+<br /> * 25.16.0+<br /> * 25.18.0+<br /> * 25.20.0+
Severity CVSS v4.0: HIGH
Last modification:
25/11/2025

CVE-2025-13596
Publication date:
24/11/2025
A sensitive information disclosure vulnerability exists in the error handling component of ATISoluciones CIGES Application version 2.15.6 and earlier. When certain unexpected conditions trigger unhandled exceptions, the application returns detailed error messages and stack traces to the client. This may expose internal filesystem paths, SQL queries, database connection details, or environment configuration data to remote unauthenticated attackers. This issue allows information gathering and reconnaissance but does not enable direct system compromise.
Severity CVSS v4.0: LOW
Last modification:
25/11/2025

CVE-2025-13588
Publication date:
24/11/2025
A vulnerability was found in lKinderBueno Streamity Xtream IPTV Player up to 2.8. The impacted element is an unknown function of the file public/proxy.php. Performing manipulation results in server-side request forgery. The attack can be initiated remotely. The exploit has been made public and could be used. Upgrading to version 2.8.1 is sufficient to resolve this issue. The patch is named c70bfb8d36b47bfd64c5ec73917e1d9ddb97af92. It is suggested to upgrade the affected component.
Severity CVSS v4.0: MEDIUM
Last modification:
25/11/2025

CVE-2025-13586
Publication date:
24/11/2025
A flaw has been found in SourceCodester Online Student Clearance System 1.0. Impacted is an unknown function of the file /Admin/changepassword.php. This manipulation of the argument txtconfirm_password causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
25/11/2025

CVE-2025-12569
Publication date:
24/11/2025
The Guest posting / Frontend Posting / Front Editor WordPress plugin before 5.0.0 does not validate a parameter before redirecting the user to its value, leading to an Open Redirect issue
Severity CVSS v4.0: Pending analysis
Last modification:
25/11/2025

CVE-2025-12629
Publication date:
24/11/2025
The Broken Link Manager WordPress plugin through 0.6.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
Severity CVSS v4.0: Pending analysis
Last modification:
25/11/2025

CVE-2025-13585
Publication date:
24/11/2025
A vulnerability was detected in code-projects COVID Tracking System 1.0. This issue affects some unknown processing of the file /login.php. The manipulation of the argument code results in sql injection. The attack may be performed from remote. The exploit is now public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
25/11/2025
Subscribe to Vulnerabilities