Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-24503
Publication date:
30/01/2025
A malicious actor can fix the session of a PAM user by tricking the user to click on a specially crafted link to the PAM server.
Severity CVSS v4.0: CRITICAL
Last modification:
05/02/2025

CVE-2025-24504
Publication date:
30/01/2025
An improper input validation the CSRF filter results in unsanitized user input written to the application logs.
Severity CVSS v4.0: MEDIUM
Last modification:
05/02/2025

CVE-2025-0683
Publication date:
30/01/2025
In its default configuration, Contec Health CMS8000 Patient Monitor transmits plain-text <br /> patient data to a hard-coded public IP address when a patient is hooked <br /> up to the monitor. This could lead to a leakage of confidential patient <br /> data to any device with that IP address or an attacker in a <br /> machine-in-the-middle scenario.
Severity CVSS v4.0: HIGH
Last modification:
31/01/2025

CVE-2025-0680
Publication date:
30/01/2025
Affected products contain a vulnerability in the device cloud rpc command handling process that could allow remote attackers to take control over arbitrary devices connected to the cloud.
Severity CVSS v4.0: CRITICAL
Last modification:
30/01/2025

CVE-2025-0681
Publication date:
30/01/2025
The Cloud MQTT service of the affected products supports wildcard topic <br /> subscription which could allow an attacker to obtain sensitive <br /> information from tapping the service communications.
Severity CVSS v4.0: MEDIUM
Last modification:
30/01/2025

CVE-2025-24501
Publication date:
30/01/2025
An improper input validation allows an unauthenticated attacker to alter PAM logs by sending a specially crafted HTTP request.
Severity CVSS v4.0: MEDIUM
Last modification:
05/02/2025

CVE-2025-24502
Publication date:
30/01/2025
An improper session validation allows an unauthenticated attacker to cause certain request notifications to be executed in the context of an incorrect user by spoofing the client IP address.
Severity CVSS v4.0: MEDIUM
Last modification:
05/02/2025

CVE-2025-24500
Publication date:
30/01/2025
The vulnerability allows an unauthenticated attacker to access information in PAM database.
Severity CVSS v4.0: HIGH
Last modification:
13/03/2025

CVE-2025-0626
Publication date:
30/01/2025
The "monitor" binary in the firmware of the affected product attempts to mount to a hard-coded, routable IP address, bypassing existing device network settings to do so. The function also enables the network interface of the device if it is disabled. The function is triggered by attempting to update the device from the user menu. This could serve as a backdoor to the device, and could lead to a malicious actor being able to upload and overwrite files on the device.
Severity CVSS v4.0: HIGH
Last modification:
01/03/2025

CVE-2024-12248
Publication date:
30/01/2025
Contec Health CMS8000 Patient Monitor is vulnerable to an out-of-bounds write, which could allow an attacker to send specially formatted UDP requests in order to write arbitrary data. This could result in remote code execution.
Severity CVSS v4.0: CRITICAL
Last modification:
31/01/2025

CVE-2024-44142
Publication date:
30/01/2025
The issue was addressed with improved bounds checks. This issue is fixed in GarageBand 10.4.12. Processing a maliciously crafted image may lead to arbitrary code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
18/03/2025

CVE-2025-0498
Publication date:
30/01/2025
A data exposure vulnerability exists in all versions prior to V15.00.001 of Rockwell Automation FactoryTalk® AssetCentre. The vulnerability exists due to insecure storage of FactoryTalk® Security user tokens, which could allow a threat actor to steal a token and, impersonate another user.
Severity CVSS v4.0: HIGH
Last modification:
30/01/2025
Subscribe to Vulnerabilities