Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-29018
Publication date:
09/04/2025
A Stored Cross-Site Scripting (XSS) vulnerability exists in the name parameter of pages_add_acc_type.php in Code Astro Internet Banking System 2.0.0.
Severity CVSS v4.0: Pending analysis
Last modification:
28/04/2025

CVE-2025-30659
Publication date:
09/04/2025
An Improper Handling of Length Parameter Inconsistency vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS).<br /> <br /> When a device configured for Secure Vector Routing (SVR) receives a specifically malformed packet the PFE will crash and restart.<br /> This issue affects Junos OS on SRX Series:<br /> <br /> <br /> <br /> * All 21.4 versions,<br /> * 22.2 versions before 22.2R3-S6,<br /> * 22.4 versions before 22.4R3-S6,<br /> * 23.2 versions before 23.2R2-S3,<br /> * 23.4 versions before 23.4R2-S4,<br /> * 24.2 versions before 24.2R2.<br /> <br /> <br /> <br /> <br /> This issue does not affect versions before 21.4.
Severity CVSS v4.0: HIGH
Last modification:
23/01/2026

CVE-2025-30660
Publication date:
09/04/2025
An Improper Check for Unusual or Exceptional Conditions vulnerability in the Packet Forwarding Engine (pfe) of Juniper Networks Junos OS on MX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS).When processing a high rate of specific GRE traffic destined to the device, the respective PFE will hang causing traffic forwarding to stop. <br /> <br /> <br /> <br /> When this issue occurs the following logs can be observed:<br /> <br /> MQSS(0): LI-3: Received a parcel with more than 512B accompanying data <br /> CHASSISD_FPC_ASIC_ERROR: ASIC Error detected <br /> <br /> <br /> This issue affects Junos OS:<br /> <br /> * all versions before 21.2R3-S9,<br /> * 21.4 versions before 21.4R3-S8,<br /> * 22.2 versions before 22.2R3-S4,<br /> * 22.4 versions before 22.4R3-S5,<br /> * 23.2 versions before 23.2R2-S2,<br /> * 23.4 versions before 23.4R2.
Severity CVSS v4.0: HIGH
Last modification:
23/01/2026

CVE-2025-30653
Publication date:
09/04/2025
An Expired Pointer Dereference vulnerability in Routing Protocol Daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, adjacent attacker to cause Denial of Service (DoS).On all Junos OS and Junos OS Evolved platforms, when an MPLS Label-Switched Path (LSP) is configured with node-link-protection and transport-class, and an LSP flaps, rpd crashes and restarts. Continuous flapping of LSP can cause a sustained Denial of Service (DoS) condition.<br /> <br /> This issue affects:<br /> <br /> Junos OS:<br /> <br /> <br /> <br /> * All versions before 22.2R3-S4,<br /> <br /> * 22.4 versions before 22.4R3-S2,<br /> <br /> * 23.2 versions before 23.2R2,<br /> <br /> * 23.4 versions before 23.4R2.<br /> <br /> <br /> <br /> <br /> <br /> Junos OS Evolved:<br /> <br /> <br /> <br /> * All versions before 22.2R3-S4-EVO,<br /> <br /> * 22.4-EVO versions before 22.4R3-S2-EVO,<br /> <br /> * 23.2-EVO versions before 23.2R2-EVO,<br /> <br /> * 23.4-EVO versions before 23.4R2-EVO.
Severity CVSS v4.0: MEDIUM
Last modification:
23/01/2026

CVE-2025-30654
Publication date:
09/04/2025
An Exposure of Sensitive Information to an Unauthorized Actor vulnerability in the User Interface (UI) of Juniper Networks Junos OS and Junos OS Evolved allows a local, low-privileged, authenticated attacker with access to the CLI to access sensitive information. <br /> <br /> Through the execution of a specific show mgd command, a user with limited permissions (e.g., a low-privileged login class user) can access sensitive information such as hashed passwords, that can be used to further impact the system.<br /> <br /> <br /> This issue affects Junos OS:  * All versions before 21.4R3-S10,<br /> * from 22.2 before 22.2R3-S5,<br /> * from 22.4 before 22.4R3-S5, <br /> * from 23.2 before 23.2R2-S3, <br /> * from 23.4 before 23.4R2-S3.<br /> <br /> <br /> <br /> <br /> <br /> Junos OS Evolved: <br /> <br /> * All versions before 21.4R3-S10-EVO,<br /> * from 22.2-EVO before 22.2R3-S6-EVO, <br /> * from 22.4-EVO before 22.4R3-S5-EVO, <br /> * from 23.2-EVO before 23.2R2-S3-EVO, <br /> * from 23.4-EVO before 23.4R2-S3-EVO.
Severity CVSS v4.0: MEDIUM
Last modification:
23/01/2026

CVE-2025-30655
Publication date:
09/04/2025
An Improper Check for Unusual or Exceptional Conditions vulnerability in the Routing Protocol Daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows a local, low-privileged attacker to cause a Denial-of-Service (DoS).<br /> <br /> When a specific "show bgp neighbor" CLI command is run, the rpd cpu utilization rises and eventually causes a crash and restart. Repeated use of this command will cause a sustained DoS condition. <br /> <br /> The device is only affected if BGP RIB sharding and update-threading is enabled.<br /> This issue affects Junos OS: <br /> <br /> <br /> <br /> * All versions before 21.2R3-S9, <br /> * from 21.4 before 21.4R3-S8,<br /> * from 22.2 before 22.2R3-S6, <br /> * from 22.4 before 22.4R3-S2, <br /> * from 23.2 before 23.2R2-S3, <br /> * from 23.4 before 23.4R2.<br /> <br /> <br /> and Junos OS Evolved: <br /> <br /> <br /> <br /> * All versions before 21.2R3-S9-EVO, <br /> * from 21.4-EVO before 21.4R3-S8-EVO, <br /> * from 22.2-EVO before 22.2R3-S6-EVO, <br /> * from 22.4-EVO before 22.4R3-S2-EVO, <br /> * from 23.2-EVO before 23.2R2-S3-EVO, <br /> * from 23.4-EVO before 23.4R2-EVO.
Severity CVSS v4.0: MEDIUM
Last modification:
23/01/2026

CVE-2025-30656
Publication date:
09/04/2025
An Improper Handling of Additional Special Element vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on MX Series with MS-MPC, MS-MIC and SPC3, and SRX Series, allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS).<br /> <br /> If the SIP ALG processes specifically formatted SIP invites, a memory corruption will occur which will lead to a crash of the FPC processing these packets. Although the system will automatically recover with the restart of the FPC, subsequent SIP invites will cause the crash again and lead to a sustained DoS.<br /> <br /> <br /> <br /> <br /> This issue affects Junos OS on MX Series and SRX Series: <br /> <br /> * all versions before 21.2R3-S9,<br /> * 21.4 versions before 21.4R3-S10,<br /> * 22.2 versions before 22.2R3-S6,<br /> * 22.4 versions before 22.4R3-S5,<br /> * 23.2 versions before 23.2R2-S3,<br /> * 23.4 versions before 23.4R2-S3,<br /> * 24.2 versions before 24.2R1-S2, 24.2R2.
Severity CVSS v4.0: HIGH
Last modification:
23/01/2026

CVE-2025-30657
Publication date:
09/04/2025
An Improper Encoding or Escaping of Output vulnerability in the Sampling Route Record Daemon (SRRD) of Juniper Networks Junos OS allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS).<br /> <br /> When a device configured for flow-monitoring receives a specific BGP update message, it is correctly processed internally by the routing protocol daemon (rpd), but when it&amp;#39;s sent to SRRD it&amp;#39;s encoded incorrectly which leads to a crash and momentary interruption of jflow processing until it automatically restarts. This issue does not affect traffic forwarding itself.<br /> This issue affects Junos OS: <br /> <br /> <br /> <br /> * All versions before 21.2R3-S9,<br /> * 21.4 versions before 21.4R3-S10,<br /> * 22.2 versions before 22.2R3-S6,<br /> * 22.4 versions before 22.4R3,<br /> * 23.2 versions before 23.2R1-S2, 23.2R2.<br /> <br /> <br /> <br /> This issue does not affected Junos OS Evolved.
Severity CVSS v4.0: MEDIUM
Last modification:
23/01/2026

CVE-2025-30658
Publication date:
09/04/2025
A Missing Release of Memory after Effective Lifetime vulnerability in the Anti-Virus processing of Juniper Networks Junos OS on SRX Series <br /> <br /> allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS).<br /> <br /> On all SRX platforms with Anti-Virus enabled, if a server sends specific content in the HTTP body of a response to a client request, these packets are queued by Anti-Virus processing in Juniper Buffers (jbufs) which are never released. When these jbufs are exhausted, the device stops forwarding all transit traffic.<br /> <br /> A jbuf memory leak can be noticed from the following logs:<br /> <br /> (.) Warning: jbuf pool id utilization level (%) is above %!<br /> <br /> To recover from this issue, the affected device needs to be manually rebooted to free the leaked jbufs.<br /> <br /> <br /> <br /> <br /> This issue affects Junos OS on SRX Series: <br /> <br /> * all versions before 21.2R3-S9,<br /> * 21.4 versions before 21.4R3-S10,<br /> * 22.2 versions before 22.2R3-S6,<br /> * 22.4 versions before 22.4R3-S6,<br /> * 23.2 versions before 23.2R2-S3,<br /> * 23.4 versions before 23.4R2-S3,<br /> * 24.2 versions before 24.2R2.
Severity CVSS v4.0: HIGH
Last modification:
23/01/2026

CVE-2025-30651
Publication date:
09/04/2025
A Buffer Access with Incorrect Length Value vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause a Denial of Service (DoS).<br /> When an attacker sends a specific ICMPv6 packet to an interface with "protocols router-advertisement" configured, rpd crashes and restarts. Continued receipt of this packet will cause a sustained DoS condition. <br /> <br /> <br /> <br /> <br /> This issue only affects systems configured with IPv6.<br /> <br /> <br /> <br /> This issue affects Junos OS: <br /> <br /> <br /> * All versions before 21.2R3-S9, <br /> * from 21.4 before 21.4R3-S10, <br /> * from 22.2 before 22.2R3-S6, <br /> * from 22.4 before 22.4R3-S4, <br /> * from 23.2 before 23.2R2-S2, <br /> * from 23.4 before 23.4R2; <br /> <br /> <br /> <br /> and Junos OS Evolved: <br /> * All versions before 21.2R3-S9-EVO, <br /> * from 21.4-EVO before 21.4R3-S10-EVO, <br /> * from 22.2-EVO before 22.2R3-S6-EVO, <br /> * from 22.4-EVO before 22.4R3-S4-EVO, <br /> * from 23.2-EVO before 23.2R2-S2-EVO, <br /> * from 23.4-EVO before 23.4R2-EVO.
Severity CVSS v4.0: HIGH
Last modification:
23/01/2026

CVE-2025-30652
Publication date:
09/04/2025
An Improper Handling of Exceptional Conditions vulnerability in routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows a local, low-privileged attacker executing a CLI command to cause a Denial of Service (DoS).<br /> <br /> When asregex-optimized is configured and a specific "show route as-path" CLI command is executed, the rpd crashes and restarts. Repeated execution of this command will cause a sustained DoS condition.<br /> This issue affects Junos OS: <br /> <br /> <br /> * All versions before 21.2R3-S9, <br /> * from 21.4 before 21.4R3-S10, <br /> * from 22.2 before 22.2R3-S6, <br /> * from 22.4 before 22.4R3-S6, <br /> * from 23.2 before 23.2R2-S3, <br /> * from 23.4 before 23.4R2-S4, <br /> * from 24.2 before 24.2R2.<br /> <br /> <br /> <br /> and Junos OS Evolved: <br /> * All versions before 21.2R3-S9-EVO, <br /> * from 21.4-EVO before 21.4R3-S10-EVO, <br /> * from 22.2-EVO before 22.2R3-S6-EVO, <br /> * from 22.4-EVO before 22.4R3-S6-EVO, <br /> * from 23.2-EVO before 23.2R2-S3-EVO, <br /> * from 23.4-EVO before 23.4R2-S4-EVO, <br /> * from 24.2-EVO before 24.2R2-EVO.
Severity CVSS v4.0: MEDIUM
Last modification:
23/01/2026

CVE-2025-30649
Publication date:
09/04/2025
An Improper Input Validation vulnerability in the syslog stream TCP transport of Juniper Networks Junos OS on MX240, MX480 and MX960 devices with MX-SPC3 Security Services Card allows an unauthenticated, network-based attacker, to send specific spoofed packets to cause a CPU Denial of Service (DoS) to the MX-SPC3 SPUs.<br /> <br /> Continued receipt and processing of these specific packets will sustain the DoS condition.<br /> <br /> This issue affects Junos OS: * All versions before 22.2R3-S6,<br /> * from 22.4 before 22.4R3-S4,<br /> * from 23.2 before 23.2R2-S3,<br /> * from 23.4 before 23.4R2-S4,<br /> * from 24.2 before 24.2R1-S2, 24.2R2<br /> <br /> <br /> An indicator of compromise will indicate the SPC3 SPUs utilization has spiked.<br /> <br /> <br /> For example: <br />    user@device&gt; show services service-sets summary<br /> Service sets CPU<br /> Interface configured Bytes used Session bytes used Policy bytes used utilization<br /> "interface" 1 "bytes" (percent%) "sessions" ("percent"%) "bytes" ("percent"%) 99.97 % OVLD
Severity CVSS v4.0: HIGH
Last modification:
26/01/2026
Subscribe to Vulnerabilities