Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-12078

Publication date:
23/01/2025
ECOVACS robot lawn mowers and vacuums use a shared, static secret key to encrypt BLE GATT messages. An unauthenticated attacker within BLE range can control any robot using the same key.
Severity CVSS v4.0: MEDIUM
Last modification:
23/01/2025

CVE-2024-12079

Publication date:
23/01/2025
ECOVACS robot lawnmowers store the anti-theft PIN in cleartext on the device filesystem. An attacker can steal a lawnmower, read the PIN, and reset the anti-theft mechanism.
Severity CVSS v4.0: MEDIUM
Last modification:
23/01/2025

CVE-2024-52327

Publication date:
23/01/2025
The cloud service used by ECOVACS robot lawnmowers and vacuums allows authenticated attackers to bypass the PIN entry required to access the live video feed.
Severity CVSS v4.0: MEDIUM
Last modification:
23/01/2025

CVE-2024-11147

Publication date:
23/01/2025
ECOVACS robot lawnmowers and vacuums use a deterministic root password generated based on model and serial number. An attacker with shell access can login as root.
Severity CVSS v4.0: HIGH
Last modification:
23/01/2025

CVE-2025-23733

Publication date:
23/01/2025
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sayocode SC Simple Zazzle allows Reflected XSS. This issue affects SC Simple Zazzle: from n/a through 1.1.6.
Severity CVSS v4.0: Pending analysis
Last modification:
23/01/2025

CVE-2025-23834

Publication date:
23/01/2025
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Links/Problem Reporter allows Reflected XSS. This issue affects Links/Problem Reporter: from n/a through 2.6.0.
Severity CVSS v4.0: Pending analysis
Last modification:
23/01/2025

CVE-2025-23835

Publication date:
23/01/2025
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Legal + allows Reflected XSS. This issue affects Legal +: from n/a through 1.0.
Severity CVSS v4.0: Pending analysis
Last modification:
23/01/2025

CVE-2025-23836

Publication date:
23/01/2025
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SuryaBhan Custom Coming Soon allows Reflected XSS. This issue affects Custom Coming Soon: from n/a through 2.2.
Severity CVSS v4.0: Pending analysis
Last modification:
23/01/2025

CVE-2025-23894

Publication date:
23/01/2025
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tatsuya Fukata, Alexander Ovsov wp-flickr-press allows Reflected XSS. This issue affects wp-flickr-press: from n/a through 2.6.4.
Severity CVSS v4.0: Pending analysis
Last modification:
23/01/2025

CVE-2025-23960

Publication date:
23/01/2025
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in basteln3rk Save & Import Image from URL allows Reflected XSS. This issue affects Save & Import Image from URL: from n/a through 0.7.
Severity CVSS v4.0: Pending analysis
Last modification:
23/01/2025

CVE-2025-23722

Publication date:
23/01/2025
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Mind3doM RyeBread Widgets allows Reflected XSS. This issue affects Mind3doM RyeBread Widgets: from n/a through 1.0.
Severity CVSS v4.0: Pending analysis
Last modification:
23/01/2025

CVE-2025-23723

Publication date:
23/01/2025
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Plestar Inc Plestar Directory Listing allows Reflected XSS. This issue affects Plestar Directory Listing: from n/a through 1.0.
Severity CVSS v4.0: Pending analysis
Last modification:
23/01/2025