Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-12796
Publication date:
16/09/2025
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Holistic IT, Consultancy Coop. Workcube ERP allows Reflected XSS.This issue affects Workcube ERP: from V12 - V14 before Cognitive.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-7355
Publication date:
16/09/2025
Authorization Bypass Through User-Controlled Key vulnerability in Beefull Energy Technologies Beefull App allows Exploitation of Trusted Identifiers.This issue affects Beefull App: before 24.07.2025.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-55834
Publication date:
16/09/2025
A Cross Site Scripting vulnerability in JeeWMS v.3.7 and before allows a remote attacker to obtain sensitive information via the logController.do component
Severity CVSS v4.0: Pending analysis
Last modification:
20/09/2025

CVE-2025-55118
Publication date:
16/09/2025
Memory corruptions can be remotely triggered in the Control-M/Agent when SSL/TLS communication is configured.<br /> <br /> <br /> The issue occurs in the following cases:<br /> <br /> * Control-M/Agent 9.0.20: SSL/TLS configuration is set to the non-default setting "use_openssl=n";<br /> * Control-M/Agent 9.0.21 and 9.0.22: Agent router configuration uses the non-default settings "JAVA_AR=N" and "use_openssl=n"
Severity CVSS v4.0: HIGH
Last modification:
15/04/2026

CVE-2025-55117
Publication date:
16/09/2025
A stack-based buffer overflow can be remotely triggered when formatting an error message in the Control-M/Agent when SSL/TLS communication is configured.<br /> <br /> <br /> The issue occurs in the following cases:<br /> <br /> * Control-M/Agent 9.0.20: SSL/TLS configuration is set to the non-default setting "use_openssl=n";<br /> * Control-M/Agent 9.0.21 and 9.0.22: Agent router configuration uses the non-default settings "JAVA_AR=N" and "use_openssl=n".
Severity CVSS v4.0: MEDIUM
Last modification:
10/10/2025

CVE-2025-55115
Publication date:
16/09/2025
A path traversal in the Control-M/Agent can lead to a local privilege escalation when an attacker has access to the system running the Agent. This vulnerability impacts the out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 and potentially earlier unsupported versions. This vulnerability was fixed in 9.0.20.100 and above.
Severity CVSS v4.0: CRITICAL
Last modification:
10/10/2025

CVE-2025-55116
Publication date:
16/09/2025
A buffer overflow in the Control-M/Agent can lead to a local privilege escalation when an attacker has access to the system running the Agent.<br /> <br /> This vulnerability impacts the out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 and potentially earlier unsupported versions.
Severity CVSS v4.0: CRITICAL
Last modification:
10/10/2025

CVE-2025-55113
Publication date:
16/09/2025
If the Access Control List is enforced by the Control-M/Agent and the C router is in use (default in Out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 and potentially earlier unsupported versions; non-default but configurable using the JAVA_AR setting in newer versions), the verification stops at the first NULL byte encountered in the email address referenced in the client certificate. An attacker could bypass configured ACLs by using a specially crafted certificate.
Severity CVSS v4.0: CRITICAL
Last modification:
10/10/2025

CVE-2025-55114
Publication date:
16/09/2025
The improper order of AUTHORIZED_CTM_IP validation in the Control-M/Agent, where the Control-M/Server IP address is validated only after the SSL/TLS handshake is completed, exposes the Control-M/Agent to vulnerabilities in the SSL/TLS implementation under certain non-default conditions (e.g. CVE-2025-55117 or CVE-2025-55118) or potentially to resource exhaustion.
Severity CVSS v4.0: MEDIUM
Last modification:
15/04/2026

CVE-2025-55112
Publication date:
16/09/2025
Out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 (and potentially earlier unsupported versions) that are configured to use the non-default Blowfish cryptography algorithm use a hardcoded key. An attacker with access to network traffic and to this key could decrypt network traffic between the Control-M/Agent and Server.
Severity CVSS v4.0: HIGH
Last modification:
10/10/2025

CVE-2025-55111
Publication date:
16/09/2025
Certain files with overly permissive permissions were identified in the out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 and potentially earlier unsupported versions as well as in newer versions which were upgraded from an affected version. These files contain keys and passwords relating to SSL files, keystore and policies. An attacker with local access to the system running the Agent can access these files.
Severity CVSS v4.0: MEDIUM
Last modification:
29/09/2025

CVE-2025-55109
Publication date:
16/09/2025
An authentication bypass vulnerability exists in the out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 and potentially earlier unsupported versions when using an empty or default kdb keystore or a default PKCS#12 keystore. A remote attacker with access to a signed third-party or demo certificate for client authentication can bypass the need for a certificate signed by the certificate authority of the organization during authentication on the Control-M/Agent.<br /> <br /> The Control-M/Agent contains hardcoded certificates which are only trusted as fallback if an empty kdb keystore is used; they are never trusted if a PKCS#12 keystore is used. All of these certificates are now expired.<br /> <br /> <br /> In addition, the Control-M/Agent default kdb and PKCS#12 keystores contain trusted third-party certificates (external recognized CAs and default self-signed demo certificates) which are trusted for client authentication.
Severity CVSS v4.0: CRITICAL
Last modification:
10/10/2025
Subscribe to Vulnerabilities