Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-52951

Publication date:
11/07/2025
A Protection Mechanism Failure vulnerability in kernel filter processing of Juniper Networks Junos OS allows an attacker sending IPv6 traffic to an interface to effectively bypass any firewall filtering configured on the interface.<br /> <br /> Due to an issue with Junos OS kernel filter processing, the &amp;#39;payload-protocol&amp;#39; match is not being supported, causing any term containing it to accept all packets without taking any other action. In essence, these firewall filter terms were being processed as an &amp;#39;accept&amp;#39; for all traffic on the interface.<br /> <br /> This issue affects Junos OS: <br /> <br /> <br /> <br /> * all versions before 21.2R3-S9, <br /> * from 21.4 before 21.4R3-S11, <br /> * from 22.2 before 22.2R3-S7, <br /> * from 22.4 before 22.4R3-S7, <br /> * from 23.2 before 23.2R2-S4, <br /> * from 23.4 before 23.4R2-S5, <br /> * from 24.2 before 24.2R2-S1, <br /> * from 24.4 before 24.4R1-S2, 24.4R2.<br /> <br /> <br /> <br /> This is a more complete fix for previously published CVE-2024-21607 (JSA75748).
Severity CVSS v4.0: MEDIUM
Last modification:
11/07/2025

CVE-2025-52952

Publication date:
11/07/2025
An Out-of-bounds Write vulnerability in the connectivity fault management (CFM) daemon of Juniper Networks Junos OS on MX Series with MPC-BUILTIN, MPC1 through MPC9 line cards allows an unauthenticated adjacent attacker to send a malformed packet to the device, leading to an FPC crash and restart, resulting in a Denial of Service (DoS).<br /> <br /> Continued receipt and processing of this packet will create a sustained Denial of Service (DoS) condition.<br /> <br /> This issue affects Juniper Networks:<br /> Junos OS:<br /> * All versions before 22.2R3-S1,<br /> * from 22.4 before 22.4R2.<br /> <br /> <br /> This feature is not enabled by default.
Severity CVSS v4.0: HIGH
Last modification:
11/07/2025

CVE-2025-30661

Publication date:
11/07/2025
An Incorrect Permission Assignment for Critical Resource vulnerability in line card script processing of Juniper Networks Junos OS allows a local, low-privileged user to install scripts to be executed as root, leading to privilege escalation.<br /> <br /> A local user with access to the local file system can copy a script to the router in a way that will be executed as root, as the system boots. Execution of the script as root can lead to privilege escalation, potentially providing the adversary complete control of the system.<br /> <br /> This issue only affects specific line cards, such as the MPC10, MPC11, LC4800, LC9600, MX304-LMIC16, SRX4700, and EX9200-15C.<br /> <br /> This issue affects Junos OS: * from 23.2 before 23.2R2-S4, <br /> * from 23.4 before 23.4R2-S5, <br /> * from 24.2 before 24.2R2-S1, <br /> * from 24.4 before 24.4R1-S3, 24.4R2.<br /> <br /> <br /> <br /> <br /> <br /> <br /> This issue does not affect versions prior to 23.1R2.
Severity CVSS v4.0: HIGH
Last modification:
11/07/2025

CVE-2025-52946

Publication date:
11/07/2025
A Use After Free vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Juniper Networks Junos OS Evolved allows an attacker sending a BGP update with a specifically malformed AS PATH to cause rpd to crash, resulting in a Denial of Service (DoS). Continuous receipt of the malformed AS PATH attribute will cause a sustained DoS condition.<br /> <br /> On all Junos OS and Junos OS Evolved platforms, the rpd process will crash and restart when a specifically malformed AS PATH is received within a BGP update and traceoptions are enabled.<br /> <br /> This issue only affects systems with BGP traceoptions enabled and requires a BGP session to be already established. Systems without BGP traceoptions enabled are not impacted by this issue.<br /> <br /> <br /> <br /> This issue affects:<br /> <br />  Junos OS:<br /> <br /> <br /> <br /> * All versions before 21.2R3-S9, <br /> * all versions of 21.4,<br /> * from 22.2 before 22.2R3-S6, <br /> * from 22.4 before 22.4R3-S5, <br /> * from 23.2 before 23.2R2-S3, <br /> * from 23.4 before 23.4R2-S4, <br /> * from 24.2 before 24.2R2; <br /> <br /> <br /> <br /> <br /> Junos OS Evolved: <br /> <br /> <br /> <br /> * All versions before 22.4R3-S5-EVO, <br /> * from 23.2-EVO before 23.2R2-S3-EVO, <br /> * from 23.4-EVO before 23.4R2-S4-EVO, <br /> * from 24.2-EVO before 24.2R2-EVO.<br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> This is a more complete fix for previously published CVE-2024-39549 (JSA83011).
Severity CVSS v4.0: HIGH
Last modification:
11/07/2025

CVE-2025-48924

Publication date:
11/07/2025
Uncontrolled Recursion vulnerability in Apache Commons Lang.<br /> <br /> This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.<br /> <br /> The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a <br /> StackOverflowError could cause an application to stop.<br /> <br /> Users are recommended to upgrade to version 3.18.0, which fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
11/07/2025

CVE-2025-52089

Publication date:
11/07/2025
A hidden remote support feature protected by a static secret in TOTOLINK N300RB firmware version 8.54 allows an authenticated attacker to execute arbitrary OS commands with root privileges.
Severity CVSS v4.0: Pending analysis
Last modification:
11/07/2025

CVE-2023-38327

Publication date:
11/07/2025
An issue was discovered in eGroupWare 17.1.20190111. A User Enumeration vulnerability exists under calendar/freebusy.php, which allows unauthenticated remote attackers to enumerate the users of web applications based on server response.
Severity CVSS v4.0: Pending analysis
Last modification:
11/07/2025

CVE-2023-38329

Publication date:
11/07/2025
An issue was discovered in eGroupWare 17.1.20190111. A cross-site scripting Reflected (XSS) vulnerability exists in calendar/freebusy.php, which allows unauthenticated remote attackers to inject arbitrary web script or HTML into the "user" HTTP/GET parameter, which reflects its input without sanitization.
Severity CVSS v4.0: Pending analysis
Last modification:
11/07/2025

CVE-2025-51591

Publication date:
11/07/2025
A Server-Side Request Forgery (SSRF) in JGM Pandoc v3.6.4 allows attackers to gain access to and compromise the whole infrastructure via injecting a crafted iframe.
Severity CVSS v4.0: Pending analysis
Last modification:
11/07/2025

CVE-2025-53861

Publication date:
11/07/2025
A flaw was found in Ansible. Sensitive cookies without security flags over non-encrypted channels can lead to Man-in-the-Middle (MitM) and Cross-site scripting (XSS) attacks allowing attackers to read transmitted data.
Severity CVSS v4.0: Pending analysis
Last modification:
11/07/2025

CVE-2025-53862

Publication date:
11/07/2025
A flaw was found in Ansible. Three API endpoints are accessible and return verbose, unauthenticated responses. This flaw allows a malicious user to access data that may contain important information.
Severity CVSS v4.0: Pending analysis
Last modification:
11/07/2025

CVE-2025-6788

Publication date:
11/07/2025
CWE-668: Exposure of Resource to Wrong Sphere vulnerability exists that exposes TGML diagram resources<br /> to the wrong control sphere, providing other authenticated users with potentially inappropriate access to TGML<br /> diagrams.
Severity CVSS v4.0: MEDIUM
Last modification:
11/07/2025