Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-24400
Publication date:
22/01/2025
Jenkins Eiffel Broadcaster Plugin 2.8.0 through 2.10.2 (both inclusive) uses the credential ID as the cache key during signing operations, allowing attackers able to create a credential with the same ID as a legitimate one in a different credentials store to sign an event published to RabbitMQ with the legitimate credentials.
Severity CVSS v4.0: Pending analysis
Last modification:
03/10/2025

CVE-2024-51457
Publication date:
22/01/2025
IBM Robotic Process Automation for Cloud Pak 21.0.0 through 21.0.7.19 and 23.0.0 through 23.0.19 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Severity CVSS v4.0: Pending analysis
Last modification:
18/08/2025

CVE-2025-20156
Publication date:
22/01/2025
A vulnerability in the REST API of Cisco Meeting Management could allow a remote, authenticated attacker with low privileges to elevate privileges to administrator on an affected device.<br /> <br /> This vulnerability exists because proper authorization is not enforced upon&amp;nbsp;REST API users. An attacker could exploit this vulnerability by sending API requests to a specific endpoint. A successful exploit could allow the attacker to gain administrator-level control over edge nodes that are managed by Cisco Meeting Management.
Severity CVSS v4.0: Pending analysis
Last modification:
01/08/2025

CVE-2025-20128
Publication date:
22/01/2025
A vulnerability in the Object Linking and Embedding 2 (OLE2) decryption routine of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.<br /> <br /> This vulnerability is due to an integer underflow in a bounds check that allows for a heap buffer overflow read. An attacker could exploit this vulnerability by submitting a crafted file containing OLE2 content to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to terminate the ClamAV scanning process, resulting in a DoS condition on the affected software.<br /> For a description of this vulnerability, see the .<br /> Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2025-23992
Publication date:
22/01/2025
Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in toocheke Toocheke Companion toocheke-companion allows Stored XSS.This issue affects Toocheke Companion: from n/a through
Severity CVSS v4.0: Pending analysis
Last modification:
01/04/2026

CVE-2025-23809
Publication date:
22/01/2025
Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in Sunil Nanda Blue Wrench Video Widget blue-wrench-videos-widget allows Reflected XSS.This issue affects Blue Wrench Video Widget: from n/a through
Severity CVSS v4.0: Pending analysis
Last modification:
01/04/2026

CVE-2025-23914
Publication date:
22/01/2025
Deserialization of Untrusted Data vulnerability in muzaara Muzaara Google Ads Report muzaara-adwords-optimize-dashboard allows Object Injection.This issue affects Muzaara Google Ads Report: from n/a through
Severity CVSS v4.0: Pending analysis
Last modification:
01/04/2026

CVE-2024-31903
Publication date:
22/01/2025
IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.2 allow an attacker on the local network to execute arbitrary code on the system, caused by the deserialization of untrusted data.
Severity CVSS v4.0: Pending analysis
Last modification:
05/03/2025

CVE-2024-42012
Publication date:
22/01/2025
GRAU DATA Blocky before 3.1 stores passwords encrypted rather than hashed. At the login screen, the user&amp;#39;s password is compared to the user&amp;#39;s decrypted cleartext password. An attacker with Windows admin or debugging rights can therefore steal the user&amp;#39;s Blocky password and from there impersonate that local user.
Severity CVSS v4.0: Pending analysis
Last modification:
04/02/2025

CVE-2024-42013
Publication date:
22/01/2025
In GRAU DATA Blocky before 3.1, Blocky-Gui has a Client-Side Enforcement of Server-Side Security vulnerability. An attacker with Windows administrative or debugging privileges can patch a binary in memory or on disk to bypass the password login requirement and gain full access to all functions of the program.
Severity CVSS v4.0: Pending analysis
Last modification:
04/02/2025

CVE-2025-0638
Publication date:
22/01/2025
The initial code parsing the manifest did not check the content of the file names yet later code assumed that it was checked and panicked when encountering illegal characters, resulting in a crash of Routinator.
Severity CVSS v4.0: Pending analysis
Last modification:
22/01/2025

CVE-2024-55488
Publication date:
22/01/2025
A stored cross-site scripting (XSS) vulnerability in Umbraco CMS v14.3.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. NOTE: This has been disputed by the vendor since this potential attack is only possible via authenticated users who have been manually allowed access to the CMS. There was a deliberate decision made not to apply HTML sanitization at the product level.
Severity CVSS v4.0: Pending analysis
Last modification:
31/12/2025
Subscribe to Vulnerabilities