Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-6031
Publication date:
12/06/2025
Amazon Cloud Cam is a home security camera that was deprecated on December 2, 2022, is end of life, and is no longer actively supported. <br /> <br /> When a user powers on the Amazon Cloud Cam, the device attempts to connect to a remote service infrastructure that has been deprecated due to end-of-life status. The device defaults to a pairing status in which an arbitrary user can bypass SSL pinning to associate the device to an arbitrary network, allowing for network traffic interception and modification.<br /> <br /> We recommend customers discontinue usage of any remaining Amazon Cloud Cams.
Severity CVSS v4.0: HIGH
Last modification:
14/10/2025

CVE-2025-2745
Publication date:
12/06/2025
A cross-site scripting vulnerability exists in AVEVA PI Web API version 2023 <br /> SP1 and prior that, if exploited, could allow an authenticated attacker <br /> (with privileges to create/update annotations or upload media files) to <br /> persist arbitrary JavaScript code that will be executed by users who <br /> were socially engineered to disable content security policy protections <br /> while rendering annotation attachments from within a web browser.
Severity CVSS v4.0: MEDIUM
Last modification:
16/06/2025

CVE-2025-36539
Publication date:
12/06/2025
AVEVA PI Data Archive products <br /> are vulnerable to an uncaught exception that, if exploited, could allow <br /> an authenticated user to shut down certain necessary PI Data Archive <br /> subsystems, resulting in a denial of service.
Severity CVSS v4.0: HIGH
Last modification:
16/06/2025

CVE-2025-44019
Publication date:
12/06/2025
AVEVA PI Data Archive products are vulnerable to an uncaught exception that, if <br /> exploited, could allow an authenticated user to shut down certain <br /> necessary PI Data Archive subsystems, resulting in a denial of service. <br /> Depending on the timing of the crash, data present in snapshots/write <br /> cache may be lost.
Severity CVSS v4.0: HIGH
Last modification:
16/06/2025

CVE-2025-48699
Publication date:
12/06/2025
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accidental usage.
Severity CVSS v4.0: Pending analysis
Last modification:
12/06/2025

CVE-2025-4417
Publication date:
12/06/2025
A cross-site scripting vulnerability exists in <br /> AVEVA PI Connector for CygNet <br /> Versions 1.6.14 and prior that, if exploited, could allow an <br /> administrator miscreant with local access to the connector admin portal <br /> to persist arbitrary JavaScript code that will be executed by other <br /> users who visit affected pages.
Severity CVSS v4.0: MEDIUM
Last modification:
16/06/2025

CVE-2025-4418
Publication date:
12/06/2025
An improper validation of integrity check value vulnerability exists in <br /> <br /> AVEVA PI Connector for CygNet Versions 1.6.14 and prior that, if exploited, <br /> could allow a miscreant with elevated privileges to modify PI Connector <br /> for CygNet local data files (cache and buffers) in a way that causes the<br /> connector service to become unresponsive.
Severity CVSS v4.0: MEDIUM
Last modification:
16/06/2025

CVE-2025-49575
Publication date:
12/06/2025
Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Multiple system messages are inserted into the CommandPaletteFooter as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This impacts wikis where a group has the `editinterface` but not the `editsitejs` user right. This vulnerability is fixed in 3.3.1.
Severity CVSS v4.0: Pending analysis
Last modification:
22/08/2025

CVE-2025-49576
Publication date:
12/06/2025
Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. The citizen-search-noresults-title and citizen-search-noresults-desc system messages are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This vulnerability is fixed in 3.3.1.
Severity CVSS v4.0: Pending analysis
Last modification:
22/08/2025

CVE-2025-49577
Publication date:
12/06/2025
Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Various preferences messages are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This vulnerability is fixed in 3.3.1.
Severity CVSS v4.0: Pending analysis
Last modification:
22/08/2025

CVE-2025-49578
Publication date:
12/06/2025
Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Various date messages returned by `Language::userDate` are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This impacts wikis where a group has the `editinterface` but not the `editsitejs` user right. This vulnerability is fixed in 3.3.1.
Severity CVSS v4.0: Pending analysis
Last modification:
22/08/2025

CVE-2025-49579
Publication date:
12/06/2025
Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. All system messages in menu headings using the Menu.mustache template are inserted as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This impacts wikis where a group has the `editinterface` but not the `editsitejs` user right. This vulnerability is fixed in 3.3.1.
Severity CVSS v4.0: Pending analysis
Last modification:
22/08/2025
Subscribe to Vulnerabilities