Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-41399
Publication date:
07/05/2025
When a Stream Control Transmission Protocol (SCTP) profile is configured on a virtual server, undisclosed requests can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Severity CVSS v4.0: HIGH
Last modification:
21/10/2025

CVE-2025-41414
Publication date:
07/05/2025
When HTTP/2 client and server profile is configured on a virtual server, undisclosed requests can cause TMM to terminate. <br /> <br /> <br /> <br /> <br /> Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
Severity CVSS v4.0: HIGH
Last modification:
21/10/2025

CVE-2025-41431
Publication date:
07/05/2025
When connection mirroring is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate in the standby BIG-IP systems in a traffic group. <br /> <br /> <br /> Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Severity CVSS v4.0: HIGH
Last modification:
06/08/2025

CVE-2025-41433
Publication date:
07/05/2025
When a Session Initiation Protocol (SIP) message routing framework (MRF) application layer gateway (ALG) profile is configured on a Message Routing virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate.<br /> <br /> <br /> <br /> <br /> Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Severity CVSS v4.0: HIGH
Last modification:
21/10/2025

CVE-2025-43878
Publication date:
07/05/2025
When running in Appliance mode, an authenticated attacker assigned the Administrator or Resource Administrator role may be able to bypass Appliance mode restrictions utilizing system diagnostics tcpdump command utility on a F5OS-C/A system. <br /> <br /> <br /> <br /> Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Severity CVSS v4.0: HIGH
Last modification:
07/11/2025

CVE-2025-35995
Publication date:
07/05/2025
When a BIG-IP PEM system is licensed with URL categorization, and the URL categorization policy or an iRule with the urlcat command is enabled on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Severity CVSS v4.0: HIGH
Last modification:
29/09/2025

CVE-2025-36504
Publication date:
07/05/2025
When a BIG-IP HTTP/2 httprouter profile is configured on a virtual server, undisclosed responses can cause an increase in memory resource utilization.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Severity CVSS v4.0: HIGH
Last modification:
21/10/2025

CVE-2025-36525
Publication date:
07/05/2025
When a BIG-IP APM virtual server is configured to use a PingAccess profile, undisclosed requests can cause TMM to terminate. <br /> <br /> <br /> Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Severity CVSS v4.0: HIGH
Last modification:
29/09/2025

CVE-2025-36546
Publication date:
07/05/2025
On an F5OS system, if the root user had previously configured the system to allow login via SSH key-based authentication, and then enabled Appliance Mode; access via SSH key-based authentication is still allowed. For an attacker to exploit this vulnerability they must obtain the root user&amp;#39;s SSH private key.  <br /> <br /> Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Severity CVSS v4.0: CRITICAL
Last modification:
21/10/2025

CVE-2025-31644
Publication date:
07/05/2025
When running in Appliance mode, a command injection vulnerability exists in an undisclosed iControl REST and BIG-IP TMOS Shell (tmsh) command which may allow an authenticated attacker with administrator role privileges to execute arbitrary system commands. A successful exploit can allow the attacker to cross a security boundary.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Severity CVSS v4.0: HIGH
Last modification:
21/10/2025

CVE-2023-7303
Publication date:
07/05/2025
A vulnerability, which was classified as problematic, was found in q2apro q2apro-on-site-notifications up to 1.4.6. This affects the function process_request of the file q2apro-onsitenotifications-page.php. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. Upgrading to version 1.4.8 is able to address this issue. The patch is named 0ca85ca02f8aceb661e9b71fd229c45d388ea5b5. It is recommended to upgrade the affected component.
Severity CVSS v4.0: MEDIUM
Last modification:
08/05/2025

CVE-2024-11953
Publication date:
07/05/2025
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accidental usage.
Severity CVSS v4.0: Pending analysis
Last modification:
07/05/2025
Subscribe to Vulnerabilities