Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2017-17547
Publication date:
17/03/2025
Rejected reason: Not used
Severity CVSS v4.0: Pending analysis
Last modification:
17/03/2025

CVE-2017-17548
Publication date:
17/03/2025
Rejected reason: Not used
Severity CVSS v4.0: Pending analysis
Last modification:
17/03/2025

CVE-2018-1358
Publication date:
17/03/2025
Rejected reason: Not used
Severity CVSS v4.0: Pending analysis
Last modification:
17/03/2025

CVE-2018-9196
Publication date:
17/03/2025
Rejected reason: Not used
Severity CVSS v4.0: Pending analysis
Last modification:
17/03/2025

CVE-2018-9197
Publication date:
17/03/2025
Rejected reason: Not used
Severity CVSS v4.0: Pending analysis
Last modification:
17/03/2025

CVE-2018-9198
Publication date:
17/03/2025
Rejected reason: Not used
Severity CVSS v4.0: Pending analysis
Last modification:
17/03/2025

CVE-2018-9199
Publication date:
17/03/2025
Rejected reason: Not used
Severity CVSS v4.0: Pending analysis
Last modification:
17/03/2025

CVE-2018-9200
Publication date:
17/03/2025
Rejected reason: Not used
Severity CVSS v4.0: Pending analysis
Last modification:
17/03/2025

CVE-2017-17542
Publication date:
17/03/2025
Rejected reason: Not used
Severity CVSS v4.0: Pending analysis
Last modification:
17/03/2025

CVE-2025-2398
Publication date:
17/03/2025
A vulnerability was found in China Mobile P22g-CIac, ZXWT-MIG-P4G4V, ZXWT-MIG-P8G8V, GT3200-4G4P and GT3200-8G8P up to 20250305. It has been rated as critical. This issue affects some unknown processing of the component CLI su Command Handler. The manipulation leads to use of default credentials. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: HIGH
Last modification:
18/03/2025

CVE-2025-2419
Publication date:
17/03/2025
A vulnerability classified as critical has been found in code-projects Real Estate Property Management System 1.0. Affected is an unknown function of the file /InsertFeedback.php. The manipulation of the argument txtName/txtEmail/txtMobile/txtFeedback leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
23/10/2025

CVE-2025-29781
Publication date:
17/03/2025
The Bare Metal Operator (BMO) implements a Kubernetes API for managing bare metal hosts in Metal3. Baremetal Operator enables users to load Secret from arbitrary namespaces upon deployment of the namespace scoped Custom Resource `BMCEventSubscription`. Prior to versions 0.8.1 and 0.9.1, an adversary Kubernetes account with only namespace level roles (e.g. a tenant controlling a namespace) may create a `BMCEventSubscription` in his authorized namespace and then load Secrets from his unauthorized namespaces to his authorized namespace via the Baremetal Operator, causing Secret Leakage. The patch makes BMO refuse to read Secrets from other namespace than where the corresponding BMH resource is. The patch does not change the `BMCEventSubscription` API in BMO, but stricter validation will fail the request at admission time. It will also prevent the controller reading such Secrets, in case the BMCES CR has already been deployed. The issue exists for all versions of BMO, and is patched in BMO releases v0.9.1 and v0.8.1. Prior upgrading to patched BMO version, duplicate any existing Secret pointed to by `BMCEventSubscription`'s `httpHeadersRef` to the same namespace where the corresponding BMH exists. After upgrade, remove the old Secrets. As a workaround, the operator can configure BMO RBAC to be namespace scoped, instead of cluster scoped, to prevent BMO from accessing Secrets from other namespaces, and/or use `WATCH_NAMESPACE` configuration option to limit BMO to single namespace.
Severity CVSS v4.0: Pending analysis
Last modification:
18/03/2025
Subscribe to Vulnerabilities