Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-52329
Publication date:
23/01/2025
ECOVACS HOME mobile app plugins for specific robots do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic and obtain authentication tokens.
Severity CVSS v4.0: CRITICAL
Last modification:
23/01/2025

CVE-2024-52330
Publication date:
23/01/2025
ECOVACS lawnmowers and vacuums do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic, possibly modifying firmware updates.
Severity CVSS v4.0: CRITICAL
Last modification:
23/01/2025

CVE-2024-52331
Publication date:
23/01/2025
ECOVACS robot lawnmowers and vacuums use a deterministic symmetric key to decrypt firmware updates. An attacker can create and encrypt malicious firmware that will be successfully decrypted and installed by the robot.
Severity CVSS v4.0: HIGH
Last modification:
23/01/2025

CVE-2024-12078
Publication date:
23/01/2025
ECOVACS robot lawn mowers and vacuums use a shared, static secret key to encrypt BLE GATT messages. An unauthenticated attacker within BLE range can control any robot using the same key.
Severity CVSS v4.0: MEDIUM
Last modification:
23/01/2025

CVE-2024-12079
Publication date:
23/01/2025
ECOVACS robot lawnmowers store the anti-theft PIN in cleartext on the device filesystem. An attacker can steal a lawnmower, read the PIN, and reset the anti-theft mechanism.
Severity CVSS v4.0: MEDIUM
Last modification:
23/01/2025

CVE-2024-52327
Publication date:
23/01/2025
The cloud service used by ECOVACS robot lawnmowers and vacuums allows authenticated attackers to bypass the PIN entry required to access the live video feed.
Severity CVSS v4.0: MEDIUM
Last modification:
23/01/2025

CVE-2024-11147
Publication date:
23/01/2025
ECOVACS robot lawnmowers and vacuums use a deterministic root password generated based on model and serial number. An attacker with shell access can login as root.
Severity CVSS v4.0: HIGH
Last modification:
23/01/2025

CVE-2025-23733
Publication date:
23/01/2025
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sayocode SC Simple Zazzle allows Reflected XSS. This issue affects SC Simple Zazzle: from n/a through 1.1.6.
Severity CVSS v4.0: Pending analysis
Last modification:
23/01/2025

CVE-2025-23834
Publication date:
23/01/2025
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Links/Problem Reporter allows Reflected XSS. This issue affects Links/Problem Reporter: from n/a through 2.6.0.
Severity CVSS v4.0: Pending analysis
Last modification:
23/01/2025

CVE-2025-23835
Publication date:
23/01/2025
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Legal + allows Reflected XSS. This issue affects Legal +: from n/a through 1.0.
Severity CVSS v4.0: Pending analysis
Last modification:
23/01/2025

CVE-2025-23836
Publication date:
23/01/2025
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SuryaBhan Custom Coming Soon allows Reflected XSS. This issue affects Custom Coming Soon: from n/a through 2.2.
Severity CVSS v4.0: Pending analysis
Last modification:
23/01/2025

CVE-2025-23894
Publication date:
23/01/2025
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tatsuya Fukata, Alexander Ovsov wp-flickr-press allows Reflected XSS. This issue affects wp-flickr-press: from n/a through 2.6.4.
Severity CVSS v4.0: Pending analysis
Last modification:
23/01/2025
Subscribe to Vulnerabilities