Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2018-9378
Publication date:
28/01/2025
In BnAudioPolicyService::onTransact of IAudioPolicyService.cpp, there is a possible information disclosure due to uninitialized data. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
Severity CVSS v4.0: Pending analysis
Last modification:
10/07/2025

CVE-2025-24800
Publication date:
28/01/2025
Hyperbridge is a hyper-scalable coprocessor for verifiable, cross-chain interoperability. A critical vulnerability was discovered in the ismp-grandpa crate, that allowed a malicious prover easily convince the verifier of the finality of arbitrary headers. This could be used to steal funds or compromise other kinds of cross-chain applications. This vulnerability is fixed in 15.0.1.
Severity CVSS v4.0: CRITICAL
Last modification:
28/01/2025

CVE-2025-23213
Publication date:
28/01/2025
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. The file upload feature allows to upload arbitrary files, including html and svg. Both can contain malicious content (XSS Payloads). This vulnerability is fixed in 1.5.28.
Severity CVSS v4.0: Pending analysis
Last modification:
08/05/2025

CVE-2025-23212
Publication date:
28/01/2025
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. The external storage feature allows any user to enumerate the name and content of files on the server. This vulnerability is fixed in 1.5.28.
Severity CVSS v4.0: Pending analysis
Last modification:
08/05/2025

CVE-2025-23385
Publication date:
28/01/2025
In JetBrains ReSharper before 2024.3.4, 2024.2.8, and 2024.1.7, Rider before 2024.3.4, 2024.2.8, and 2024.1.7, dotTrace before 2024.3.4, 2024.2.8, and 2024.1.7, ETW Host Service before 16.43, Local Privilege Escalation via the ETW Host Service was possible
Severity CVSS v4.0: Pending analysis
Last modification:
12/01/2026

CVE-2025-0432
Publication date:
28/01/2025
EWON Flexy 202 transmits user credentials in clear text with no encryption when a user is added, or user credentials are changed via its webpage.
Severity CVSS v4.0: MEDIUM
Last modification:
28/01/2025

CVE-2025-0659
Publication date:
28/01/2025
A path<br /> traversal vulnerability exists in the Rockwell Automation DataEdge Platform DataMosaix Private Cloud. By specifying the character<br /> sequence in the body of the vulnerable endpoint, it is possible to overwrite<br /> files outside of the intended directory. A threat actor with admin privileges could<br /> leverage this vulnerability to overwrite reports including user projects.
Severity CVSS v4.0: HIGH
Last modification:
28/01/2025

CVE-2025-23045
Publication date:
28/01/2025
Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. An attacker with an account on an affected CVAT instance is able to run arbitrary code in the context of the Nuclio function container. This vulnerability affects CVAT deployments that run any of the serverless functions of type tracker from the CVAT Git repository, namely TransT and SiamMask. Deployments with custom functions of type tracker may also be affected, depending on how they handle state serialization. If a function uses an unsafe serialization library such as pickle or jsonpickle, it&amp;#39;s likely to be vulnerable. Upgrade to CVAT 2.26.0 or later. If you are unable to upgrade, shut down any instances of the TransT or SiamMask functions you&amp;#39;re running.
Severity CVSS v4.0: HIGH
Last modification:
16/09/2025

CVE-2025-23211
Publication date:
28/01/2025
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. A Jinja2 SSTI vulnerability allows any user to execute commands on the server. In the case of the provided Docker Compose file as root. This vulnerability is fixed in 1.5.24.
Severity CVSS v4.0: Pending analysis
Last modification:
08/05/2025

CVE-2024-7881
Publication date:
28/01/2025
An unprivileged context can trigger a data<br /> memory-dependent prefetch engine to fetch the contents of a privileged location<br /> and consume those contents as an address that is also dereferenced.
Severity CVSS v4.0: Pending analysis
Last modification:
18/12/2025

CVE-2024-6351
Publication date:
28/01/2025
A malformed packet can cause a buffer overflow in the NWK/APS layer of the Ember ZNet stack and lead to an assert
Severity CVSS v4.0: Pending analysis
Last modification:
18/02/2025

CVE-2024-11956
Publication date:
28/01/2025
A vulnerability, which was classified as critical, has been found in Pimcore customer-data-framework up to 4.2.0. Affected by this issue is some unknown functionality of the file /admin/customermanagementframework/customers/list. The manipulation of the argument filterDefinition/filter leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 4.2.1 is able to address this issue. It is recommended to upgrade the affected component.
Severity CVSS v4.0: MEDIUM
Last modification:
04/11/2025
Subscribe to Vulnerabilities