Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-57064
Publication date:
05/02/2025
A prototype pollution in the lib.setValue function of @syncfusion/ej2-spreadsheet v27.2.2 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. NOTE: the Supplier disputes this because they found that the lib.setValue function is not utilized.
Severity CVSS v4.0: Pending analysis
Last modification:
10/03/2025

CVE-2024-48394
Publication date:
05/02/2025
A Time-of-Check to Time-of-Use (TOCTOU) vulnerability has been identified in the driver of the NDD Print solution, which could allow an unprivileged user to exploit this flaw and gain SYSTEM-level access on the device. The vulnerability affects version 5.24.3 and before of the software.
Severity CVSS v4.0: Pending analysis
Last modification:
19/03/2025

CVE-2020-36084
Publication date:
05/02/2025
SQL Injection vulnerability in SourceCodester Responsive E-Learning System 1.0 allows remote attackers to inject sql query in /elearning/delete_teacher_students.php?id= parameter via id field.
Severity CVSS v4.0: Pending analysis
Last modification:
02/05/2025

CVE-2025-24372
Publication date:
05/02/2025
CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Using a specially crafted file, a user could potentially upload a file containing code that when executed could send arbitrary requests to the server. If that file was opened by an administrator, it could lead to escalation of privileges of the original submitter or other malicious actions. Users must have been registered to the site to exploit this vulnerability. This vulnerability has been fixed in CKAN 2.10.7 and 2.11.2. Users are advised to upgrade. On versions prior to CKAN 2.10.7 and 2.11.2, site maintainers can restrict the file types supported for uploading using the `ckan.upload.user.mimetypes` / `ckan.upload.user.types` and `ckan.upload.group.mimetypes` / `ckan.upload.group.types` config options. To entirely disable file uploads users can use: `ckan.upload.user.types = none`
Severity CVSS v4.0: Pending analysis
Last modification:
05/02/2025

CVE-2025-24803
Publication date:
05/02/2025
Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework. According to Apple's documentation for bundle ID's, it must contain only alphanumeric characters (A–Z, a–z, and 0–9), hyphens (-), and periods (.). However, an attacker can manually modify this value in the `Info.plist` file and add special characters to the `CFBundleIdentifier` value. The `dynamic_analysis.html` file does not sanitize the received bundle value from Corellium and as a result, it is possible to break the HTML context and achieve Stored XSS. This issue has been addressed in version 4.3.1 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity CVSS v4.0: HIGH
Last modification:
05/02/2025

CVE-2025-24804
Publication date:
05/02/2025
Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework. According to Apple's documentation for bundle ID's, it must contain only alphanumeric characters (A–Z, a–z, and 0–9), hyphens (-), and periods (.). However, an attacker can manually modify this value in the `Info.plist` file and add special characters to the `CFBundleIdentifier` value. When the application parses the wrong characters in the bundle ID, it encounters an error. As a result, it will not display content and will throw a 500 error instead. The only way to make the pages work again is to manually remove the malicious application from the system. This issue has been addressed in version 4.3.1 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity CVSS v4.0: MEDIUM
Last modification:
05/02/2025

CVE-2025-24805
Publication date:
05/02/2025
Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework. A local user with minimal privileges is able to make use of an access token for materials for scopes which it should not be accepted. This issue has been addressed in version 4.3.1 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity CVSS v4.0: HIGH
Last modification:
05/02/2025

CVE-2025-24326
Publication date:
05/02/2025
When BIG-IP Advanced WAF/ASM Behavioral DoS (BADoS) TLS Signatures feature is configured, undisclosed traffic can case an increase in memory resource utilization.<br /> <br /> <br /> <br /> <br /> Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Severity CVSS v4.0: HIGH
Last modification:
05/02/2025

CVE-2025-24497
Publication date:
05/02/2025
When URL categorization is configured on a virtual server, undisclosed requests can cause TMM to terminate.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Severity CVSS v4.0: HIGH
Last modification:
05/02/2025

CVE-2025-24312
Publication date:
05/02/2025
When BIG-IP AFM is provisioned with IPS module enabled and protocol inspection profile is configured on a virtual server or firewall rule or policy, undisclosed traffic can cause an increase in CPU resource utilization.  <br /> <br /> Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Severity CVSS v4.0: HIGH
Last modification:
05/02/2025

CVE-2025-24319
Publication date:
05/02/2025
When BIG-IP Next Central Manager is running, undisclosed requests to the BIG-IP Next Central Manager API can cause the BIG-IP Next Central Manager Node&amp;#39;s Kubernetes service to terminate.<br /> <br /> <br /> <br /> <br /> <br /> <br /> Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Severity CVSS v4.0: HIGH
Last modification:
05/02/2025

CVE-2025-24320
Publication date:
05/02/2025
A stored cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to run JavaScript in the context of the currently logged-in user. This vulnerability is due to an incomplete fix for CVE-2024-31156 https://my.f5.com/manage/s/article/K000138636 . <br /> <br /> Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Severity CVSS v4.0: MEDIUM
Last modification:
05/02/2025
Subscribe to Vulnerabilities