Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-25709
Publication date:
12/03/2025
An issue in dtp.ae tNexus Airport View v.2.8 allows a remote attacker to escalate privileges via the addUser and updateUser endpoints
Severity CVSS v4.0: Pending analysis
Last modification:
12/03/2025

CVE-2025-27788
Publication date:
12/03/2025
JSON is a JSON implementation for Ruby. Starting in version 2.10.0 and prior to version 2.10.2, a specially crafted document could cause an out of bound read, most likely resulting in a crash. Versions prior to 2.10.0 are not vulnerable. Version 2.10.2 fixes the problem. No known workarounds are available.
Severity CVSS v4.0: Pending analysis
Last modification:
02/04/2025

CVE-2025-21590
Publication date:
12/03/2025
An Improper Isolation or Compartmentalization vulnerability in the kernel of Juniper Networks Junos OS allows a local attacker with high privileges to compromise the integrity of the device.<br /> <br /> A local attacker with access to the shell is able to inject arbitrary code which can compromise an affected device.<br /> This issue is not exploitable from the Junos CLI.<br /> This issue affects Junos OS: <br /> <br /> <br /> <br /> * All versions before 21.2R3-S9,<br /> * 21.4 versions before 21.4R3-S10, <br /> * 22.2 versions before 22.2R3-S6, <br /> * 22.4 versions before 22.4R3-S6, <br /> * 23.2 versions before 23.2R2-S3, <br /> * 23.4 versions before 23.4R2-S4,<br /> * 24.2 versions before 24.2R1-S2, 24.2R2.
Severity CVSS v4.0: MEDIUM
Last modification:
14/03/2025

CVE-2024-52362
Publication date:
12/03/2025
IBM App Connect Enterprise Certified Container 7.2, 8.0, 8.1, 8.2, 9.0, 9.1, 9.2, 10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 11.4, 11.5, 11.6, 12.0, 12.1, 12.2, 12.3, 12.4, 12.5, 12.6, 12.7, and 12.8 could allow an authenticated user to cause a denial of service in the App Connect flow due to improper validation of server-side input.
Severity CVSS v4.0: Pending analysis
Last modification:
02/04/2025

CVE-2025-29904
Publication date:
12/03/2025
In JetBrains Ktor before 3.1.1 an HTTP Request Smuggling was possible
Severity CVSS v4.0: Pending analysis
Last modification:
12/03/2025

CVE-2025-29903
Publication date:
12/03/2025
In JetBrains Runtime before 21.0.6b872.80 arbitrary dynamic library execution due to insecure macOS flags was possible
Severity CVSS v4.0: Pending analysis
Last modification:
12/03/2025

CVE-2024-10838
Publication date:
12/03/2025
An integer underflow during deserialization may allow any unauthenticated user to read out of bounds heap memory. This may result into secret data or pointers revealing the layout of the address space to be included into a deserialized data structure, which may potentially lead to thread crashes or cause denial of service conditions.
Severity CVSS v4.0: HIGH
Last modification:
31/07/2025

CVE-2025-1527
Publication date:
12/03/2025
The ShopLentor – WooCommerce Builder for Elementor &amp; Gutenberg +20 Modules – All in One Solution (formerly WooLentor) plugin for WordPress is vulnerable to a Stored DOM-Based Cross-Site Scripting via the plugin&amp;#39;s Flash Sale Countdown module in all versions up to, and including, 3.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
24/03/2025

CVE-2024-13872
Publication date:
12/03/2025
Bitdefender Box, versions 1.3.11.490 through 1.3.11.505, uses the insecure HTTP protocol to download assets over the Internet to update and restart daemons and detection rules on the devices. Updates can be remotely triggered through the /set_temp_token API method. Then, an unauthenticated and network-adjacent attacker can use man-in-the-middle (MITM) techniques to return malicious responses. Restarted daemons that use malicious assets can then be exploited for remote code execution on the device.
Severity CVSS v4.0: CRITICAL
Last modification:
30/07/2025

CVE-2024-13871
Publication date:
12/03/2025
A command injection vulnerability exists in the /check_image_and_trigger_recovery API endpoint of Bitdefender Box 1 (firmware version 1.3.11.490). This flaw allows an unauthenticated, network-adjacent attacker to execute arbitrary commands on the device, potentially leading to full remote code execution (RCE).
Severity CVSS v4.0: CRITICAL
Last modification:
30/07/2025

CVE-2024-13870
Publication date:
12/03/2025
An improper access control vulnerability exists in Bitdefender Box 1 (firmware version 1.3.52.928 and below) that allows an unauthenticated attacker to downgrade the device&amp;#39;s firmware to an older, potentially vulnerable version of a Bitdefender-signed firmware. The attack requires Bitdefender BOX to be booted in Recovery Mode and that the attacker be present within the WiFi range of the BOX unit.
Severity CVSS v4.0: LOW
Last modification:
30/07/2025

CVE-2025-2239
Publication date:
12/03/2025
Generation of Error Message Containing Sensitive Information vulnerability in Hillstone Networks Hillstone Next Generation FireWall.This issue affects Hillstone Next Generation FireWall: from 5.5R8P1 before 5.5R8P23.
Severity CVSS v4.0: Pending analysis
Last modification:
12/03/2025
Subscribe to Vulnerabilities