Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-25774

Publication date:
12/03/2025
An issue was discovered in Open5GS v2.7.2. When a UE switches between two gNBs and sends a handover request at a specific time, it may cause an exception in the AMF's internal state machine, leading to an AMF crash and resulting in a Denial of Service (DoS).
Severity CVSS v4.0: Pending analysis
Last modification:
29/04/2025

CVE-2024-34398

Publication date:
12/03/2025
An issue was discovered in BMC Remedy Mid Tier 7.6.04. The web application allows stored HTML Injection by authenticated remote attackers.
Severity CVSS v4.0: Pending analysis
Last modification:
12/03/2025

CVE-2025-27867

Publication date:
12/03/2025
Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in Apache Felix HTTP Webconsole Plugin.<br /> <br /> This issue affects Apache Felix HTTP Webconsole Plugin: from Version 1.X through 1.2.0.<br /> <br /> Users are recommended to upgrade to version 1.2.2, which fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
21/03/2025

CVE-2025-2002

Publication date:
12/03/2025
CWE-532: Insertion of Sensitive Information into Log Files vulnerability exists that could cause the disclosure<br /> of FTP server credentials when the FTP server is deployed, and the device is placed in debug mode by an<br /> administrative user and the debug files are exported from the device.
Severity CVSS v4.0: MEDIUM
Last modification:
12/03/2025

CVE-2025-25711

Publication date:
12/03/2025
An issue in dtp.ae tNexus Airport View v.2.8 allows a remote attacker to escalate privileges via the ProfileID value to the [/tnexus/rest/admin/updateUser] API endpoint
Severity CVSS v4.0: Pending analysis
Last modification:
12/03/2025

CVE-2025-26260

Publication date:
12/03/2025
Plenti
Severity CVSS v4.0: Pending analysis
Last modification:
19/03/2025

CVE-2025-20145

Publication date:
12/03/2025
A vulnerability in the access control list (ACL) processing in the egress direction of Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass a configured ACL.<br /> <br /> This vulnerability exists because certain packets are handled incorrectly when they are received on an ingress interface on one line card and destined out of an egress interface on another line card where the egress ACL is configured. An attacker could exploit this vulnerability by attempting to send traffic through an affected device. A successful exploit could allow the attacker to bypass an egress ACL on the affected device.<br /> For more information about this vulnerability, see the section of this advisory.<br /> Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
12/03/2025

CVE-2025-20146

Publication date:
12/03/2025
A vulnerability in the Layer 3 multicast feature of Cisco IOS XR Software for Cisco ASR 9000 Series Aggregation Services Routers, ASR 9902 Compact High-Performance Routers, and ASR 9903 Compact High-Performance Routers could allow an unauthenticated, remote attacker to cause a line card to reset, resulting in a denial of service (DoS) condition.<br /> <br /> This vulnerability is due to the incorrect handling of malformed IPv4 multicast packets that are received on line cards where the interface has either an IPv4 access control list (ACL) or a QoS policy applied. An attacker could exploit this vulnerability by sending crafted IPv4 multicast packets through an affected device. A successful exploit could allow the attacker to cause line card exceptions or a hard reset. Traffic over that line card would be lost while the line card reloads.
Severity CVSS v4.0: Pending analysis
Last modification:
12/03/2025

CVE-2025-20177

Publication date:
12/03/2025
A vulnerability in the boot process of Cisco IOS XR Software could allow an authenticated, local attacker to bypass Cisco IOS XR image signature verification and load unverified software on an affected device. To exploit this vulnerability, the attacker must have root-system privileges on the affected device.<br /> <br /> This vulnerability is due to incomplete validation of files in the boot verification process. An attacker could exploit this vulnerability by manipulating the system configuration options to bypass some of the integrity checks that are performed during the boot process. A successful exploit could allow the attacker to control the boot configuration, which could enable them to bypass the requirement to run Cisco-signed images or alter the security properties of the running system.<br /> Note: Because exploitation of this vulnerability could result in the attacker bypassing Cisco image verification, Cisco has raised the Security Impact Rating (SIR) of this advisory from Medium to High.
Severity CVSS v4.0: Pending analysis
Last modification:
12/03/2025

CVE-2025-20209

Publication date:
12/03/2025
A vulnerability in the Internet Key Exchange version 2 (IKEv2) function of Cisco IOS XR Software could allow an unauthenticated, remote attacker to prevent an affected device from processing any control plane UDP packets.&amp;nbsp;<br /> <br /> This vulnerability is due to improper handling of malformed IKEv2 packets. An attacker could exploit this vulnerability by sending malformed IKEv2 packets to an affected device. A successful exploit could allow the attacker to prevent the affected device from processing any control plane UDP packets, resulting in a denial of service (DoS) condition.<br /> Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
12/03/2025

CVE-2025-25568

Publication date:
12/03/2025
SoftEtherVPN 5.02.5187 is vulnerable to Use after Free in the Command.c file via the CheckNetworkAcceptThread function.
Severity CVSS v4.0: Pending analysis
Last modification:
02/04/2025

CVE-2025-25567

Publication date:
12/03/2025
SoftEther VPN 5.02.5187 is vulnerable to Buffer Overflow in Internat.c via the UniToStrForSingleChars function.
Severity CVSS v4.0: Pending analysis
Last modification:
02/04/2025