Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-13893
Publication date:
06/03/2025
Smartwares cameras CIP-37210AT and C724IP, as well as others which share the same firmware in versions up to 3.3.0, might share same credentials for telnet service. Hash of the password can be retrieved through physical access to SPI connected memory.<br /> For the telnet service to be enabled, the inserted SD card needs to have a folder with a specific name created. <br /> Two products were tested, but since the vendor has not replied to reports, patching status remains unknown, as well as groups of devices and firmware ranges in which the same password is shared.<br /> Newer firmware versions might be vulnerable as well.
Severity CVSS v4.0: HIGH
Last modification:
06/03/2025

CVE-2024-13894
Publication date:
06/03/2025
Smartwares cameras CIP-37210AT and C724IP, as well as others which share the same firmware in versions up to 3.3.0, are vulnerable to path traversal. <br /> When an affected device is connected to a mobile app, it opens a port 10000 enabling a user to download pictures shot at specific moments by providing paths to the files. However, the directories to which a user has access are not limited, allowing for path traversal attacks and downloading sensitive information.<br /> The vendor has not replied to reports, so the patching status remains unknown. Newer firmware versions might be vulnerable as well.
Severity CVSS v4.0: MEDIUM
Last modification:
06/03/2025

CVE-2025-2045
Publication date:
06/03/2025
Improper authorization in GitLab EE affecting all versions from 17.7 prior to 17.7.6, 17.8 prior to 17.8.4, 17.9 prior to 17.9.1 allow users with limited permissions to access to potentially sensitive project analytics data.
Severity CVSS v4.0: Pending analysis
Last modification:
06/08/2025

CVE-2025-1666
Publication date:
06/03/2025
The Cookie banner plugin for WordPress – Cookiebot CMP by Usercentrics plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the send_uninstall_survey() function in all versions up to, and including, 4.4.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to submit the uninstall survey on behalf of a website.
Severity CVSS v4.0: Pending analysis
Last modification:
06/03/2025

CVE-2025-1696
Publication date:
06/03/2025
A vulnerability exists in Docker Desktop prior to version 4.39.0 that could lead to the unintentional disclosure of sensitive information via application logs. In affected versions, proxy configuration data—potentially including sensitive details—was written to log files in clear text whenever an HTTP GET request was made through a proxy. An attacker with read access to these logs could obtain the proxy information and leverage it for further attacks or unauthorized access. Starting with version 4.39.0, Docker Desktop no longer logs the proxy string, thereby mitigating this risk.
Severity CVSS v4.0: MEDIUM
Last modification:
06/03/2025

CVE-2024-56195
Publication date:
06/03/2025
Improper Access Control vulnerability in Apache Traffic Server.<br /> <br /> This issue affects Apache Traffic Server: from 9.2.0 through 9.2.8, from 10.0.0 through 10.0.3.<br /> <br /> Users are recommended to upgrade to version 9.2.9 or 10.0.4, which fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
29/04/2025

CVE-2024-56196
Publication date:
06/03/2025
Improper Access Control vulnerability in Apache Traffic Server.<br /> <br /> This issue affects Apache Traffic Server: from 10.0.0 through 10.0.3.<br /> <br /> Users are recommended to upgrade to version 10.0.4, which fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
07/05/2025

CVE-2024-7872
Publication date:
06/03/2025
Insertion of Sensitive Information Into Sent Data vulnerability in ExtremePACS Extreme XDS allows Retrieve Embedded Sensitive Data.This issue affects Extreme XDS: before 3933.
Severity CVSS v4.0: Pending analysis
Last modification:
06/03/2025

CVE-2025-1383
Publication date:
06/03/2025
The Podlove Podcast Publisher plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.2. This is due to missing or incorrect nonce validation on the ajax_transcript_delete() function. This makes it possible for unauthenticated attackers to delete arbitrary episode transcripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity CVSS v4.0: Pending analysis
Last modification:
19/03/2025

CVE-2024-38311
Publication date:
06/03/2025
Improper Input Validation vulnerability in Apache Traffic Server.<br /> <br /> This issue affects Apache Traffic Server: from 8.0.0 through 8.1.11, from 9.0.0 through 9.2.8, from 10.0.0 through 10.0.3.<br /> <br /> Users are recommended to upgrade to version 9.2.9 or 10.0.4, which fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
29/04/2025

CVE-2024-56202
Publication date:
06/03/2025
Expected Behavior Violation vulnerability in Apache Traffic Server.<br /> <br /> This issue affects Apache Traffic Server: from 9.0.0 through 9.2.8, from 10.0.0 through 10.0.3.<br /> <br /> Users are recommended to upgrade to versions 9.2.9 or 10.0.4 or newer, which fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
29/04/2025

CVE-2025-1672
Publication date:
06/03/2025
The Notibar – Notification Bar for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.1.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Severity CVSS v4.0: Pending analysis
Last modification:
06/03/2025
Subscribe to Vulnerabilities