Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-13641
Publication date:
14/02/2025
The Return Refund and Exchange For WooCommerce – Return Management System, RMA Exchange, Wallet And Cancel Order Features plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.4.5 via the 'attachment' directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely in the /wp-content/attachment directory which can contain file attachments for order refunds.
Severity CVSS v4.0: Pending analysis
Last modification:
25/02/2025

CVE-2025-23406
Publication date:
14/02/2025
Out-of-bounds read vulnerability caused by improper checking of TCP MSS option values exists in Cente middleware TCP/IP Network Series, which may lead to processing a specially crafted packet to cause the affected product crashed.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2024-2240
Publication date:
14/02/2025
Docker daemon in Brocade SANnav before SANnav 2.3.1b runs without auditing. The vulnerability could allow a remote authenticated attacker to execute various attacks.
Severity CVSS v4.0: HIGH
Last modification:
26/08/2025

CVE-2025-26519
Publication date:
14/02/2025
musl libc 0.9.13 through 1.2.5 before 1.2.6 has an out-of-bounds write vulnerability when an attacker can trigger iconv conversion of untrusted EUC-KR text to UTF-8.
Severity CVSS v4.0: Pending analysis
Last modification:
10/12/2025

CVE-2024-55904
Publication date:
14/02/2025
IBM DevOps Deploy 8.0 through 8.0.1.4, 8.1 through 8.1.0.0 / IBM UrbanCode Deploy 7.0 through 7.0.5.25, 7.1 through 7.1.2.21, 7.2 through 7.2.3.14, and 7.3 through 7.3.2.9 could allow a remote privileged authenticated attacker to execute arbitrary commands on the system by sending specially crafted input containing special elements.
Severity CVSS v4.0: Pending analysis
Last modification:
18/08/2025

CVE-2025-1053
Publication date:
14/02/2025
Under certain error conditions at time of SANnav installation or upgrade, the encryption key can be written into and obtained from a Brocade SANnav supportsave. An attacker with privileged access to the Brocade SANnav database could use the encryption key to obtain passwords used by Brocade SANnav.
Severity CVSS v4.0: HIGH
Last modification:
26/09/2025

CVE-2024-10404
Publication date:
14/02/2025
CalInvocationHandler in Brocade <br /> SANnav before 2.3.1b logs sensitive information in clear text. The <br /> vulnerability could allow an authenticated, local attacker to view <br /> Brocade Fabric OS switch sensitive information in clear text. An <br /> attacker with administrative privileges could retrieve sensitive <br /> information including passwords; SNMP responses that contain AuthSecret <br /> and PrivSecret after collecting a “supportsave” or getting access to an <br /> already collected “supportsave”. NOTE: this issue exists because of an incomplete fix for CVE-2024-29952
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2025

CVE-2025-22961
Publication date:
13/02/2025
A critical information disclosure vulnerability exists in the web-based management interface of GatesAir Maxiva UAXT, VAXT transmitters due to Incorrect Access Control (CWE-284). Unauthenticated attackers can directly access sensitive database backup files (snapshot_users.db) via publicly exposed URLs (/logs/devcfg/snapshot/ and /logs/devcfg/user/). Exploiting this vulnerability allows retrieval of sensitive user data, including login credentials, potentially leading to full system compromise.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-22962
Publication date:
13/02/2025
A critical remote code execution (RCE) vulnerability exists in the web-based management interface of GatesAir Maxiva UAXT, VAXT transmitters when debugging mode is enabled. An attacker with a valid session ID (sess_id) can send specially crafted POST requests to the /json endpoint, enabling arbitrary command execution on the underlying system. This vulnerability can lead to full system compromise, including unauthorized access, privilege escalation, and potentially full device takeover.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2024-37600
Publication date:
13/02/2025
An issue was discovered in Mercedes Benz NTG (New Telematics Generation) 6 through 2021. A possible stack buffer overflow in the Service Broker service affects NTG 6 head units. To perform this attack, physical access to Ethernet pins of the head unit base board is needed. With a static IP address, an attacker can connect via the internal network to the Service Broker service. With prepared HTTP requests, an attacker can cause the Service-Broker service to fail.
Severity CVSS v4.0: Pending analysis
Last modification:
27/06/2025

CVE-2024-37601
Publication date:
13/02/2025
An issue was discovered in Mercedes Benz NTG (New Telematics Generation) 6. A possible heap buffer overflow exists in the user data import/export function of NTG 6 head units. To perform this attack, local access to the USB interface of the car is needed. With prepared data, an attacker can cause the User-Data service to fail. The failed service instance will restart automatically.
Severity CVSS v4.0: Pending analysis
Last modification:
27/06/2025

CVE-2024-37602
Publication date:
13/02/2025
An issue was discovered in Mercedes Benz NTG (New Telematics Generation) 6 through 2021. A possible NULL pointer dereference in the Apple Car Play function affects NTG 6 head units. To perform this attack, physical access to Ethernet pins of the head unit base board is needed. With a static IP address, an attacker can connect via the internal network to the AirTunes / AirPlay service. With prepared HTTP requests, an attacker can cause the Car Play service to fail.
Severity CVSS v4.0: Pending analysis
Last modification:
27/06/2025
Subscribe to Vulnerabilities