Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-52981
Publication date:
08/04/2025
An issue was discovered in Elasticsearch, where a large recursion using the Well-KnownText formatted string with nested GeometryCollection objects could cause a stackoverflow.
Severity CVSS v4.0: Pending analysis
Last modification:
02/10/2025

CVE-2025-25226
Publication date:
08/04/2025
Improper handling of identifiers lead to a SQL injection vulnerability in the quoteNameStr method of the database package. Please note: the affected method is a protected method. It has no usages in the original packages in neither the 2.x nor 3.x branch and therefore the vulnerability in question can not be exploited when using the original database class. However, classes extending the affected class might be affected, if the vulnerable method is used.
Severity CVSS v4.0: Pending analysis
Last modification:
04/06/2025

CVE-2025-25227
Publication date:
08/04/2025
Insufficient state checks lead to a vector that allows to bypass 2FA checks.
Severity CVSS v4.0: Pending analysis
Last modification:
04/06/2025

CVE-2024-48887
Publication date:
08/04/2025
A unverified password change vulnerability in Fortinet FortiSwitch GUI may allow a remote unauthenticated attacker to change admin passwords via a specially crafted request
Severity CVSS v4.0: Pending analysis
Last modification:
23/07/2025

CVE-2024-52974
Publication date:
08/04/2025
An issue has been identified where a specially crafted request sent to an Observability API could cause the kibana server to crash.<br /> <br /> A successful attack requires a malicious user to have read permissions for Observability assigned to them.
Severity CVSS v4.0: Pending analysis
Last modification:
30/09/2025

CVE-2024-52980
Publication date:
08/04/2025
A flaw was discovered in Elasticsearch, where a large recursion using the innerForbidCircularReferences function of the PatternBank class could cause the Elasticsearch node to crash.<br /> <br /> A successful attack requires a malicious user to have read_pipeline Elasticsearch cluster privilege assigned to them.
Severity CVSS v4.0: Pending analysis
Last modification:
30/09/2025

CVE-2025-3288
Publication date:
08/04/2025
A local code execution vulnerability exists in the Rockwell Automation Arena® due to a threat actor being able to read outside of the allocated memory buffer. The flaw is a result of improper validation of user-supplied data.  If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.
Severity CVSS v4.0: HIGH
Last modification:
14/07/2025

CVE-2025-3289
Publication date:
08/04/2025
A local code execution vulnerability exists in the Rockwell Automation Arena® due to a stack-based memory buffer overflow. The flaw is result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.
Severity CVSS v4.0: HIGH
Last modification:
14/07/2025

CVE-2025-32026
Publication date:
08/04/2025
Element Web is a Matrix web client built using the Matrix React SDK. Element Web, starting from version 1.11.16 up to version 1.11.96, can be configured to load Element Call from an external URL. Under certain conditions, the external page is able to get access to the media encryption keys used for an Element Call call. Version 1.11.97 fixes the problem.
Severity CVSS v4.0: Pending analysis
Last modification:
08/04/2025

CVE-2025-3285
Publication date:
08/04/2025
A local code execution vulnerability exists in the Rockwell Automation Arena® due to a threat actor being able to read outside of the allocated memory buffer. The flaw is a result of improper validation of user-supplied data.  If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.
Severity CVSS v4.0: HIGH
Last modification:
14/07/2025

CVE-2025-3286
Publication date:
08/04/2025
A local code execution vulnerability exists in the Rockwell Automation Arena® due to a threat actor being able to read outside of the allocated memory buffer. The flaw is a result of improper validation of user-supplied data.  If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.
Severity CVSS v4.0: HIGH
Last modification:
14/07/2025

CVE-2025-3287
Publication date:
08/04/2025
A local code execution vulnerability exists in the Rockwell Automation Arena® due to a stack-based memory buffer overflow. The flaw is result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.
Severity CVSS v4.0: HIGH
Last modification:
14/07/2025
Subscribe to Vulnerabilities