Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2019-1815
Publication date:
04/03/2025
A security vulnerability was discovered in the local status page functionality of Cisco Meraki’s MX67 and MX68 security appliance models that may allow unauthenticated individuals to access and download logs containing sensitive, privileged device information. The vulnerability is due to improper access control to the files holding debugging and maintenance information, and is only exploitable when the local status page is enabled on the device. An attacker exploiting this vulnerability may obtain access to wireless pre-shared keys, Site-to-Site VPN key and other sensitive information. Under certain circumstances, this information may allow an attacker to obtain administrative-level access to the device.
Severity CVSS v4.0: Pending analysis
Last modification:
04/03/2025

CVE-2020-3122
Publication date:
04/03/2025
A vulnerability in the web-based management interface of Cisco AsyncOS for Cisco Content Security Management Appliance (SMA) could allow an unauthenticated, remote attacker to obtain sensitive network information.
Severity CVSS v4.0: Pending analysis
Last modification:
31/07/2025

CVE-2024-41147
Publication date:
04/03/2025
An out-of-bounds write vulnerability exists in the ma_dr_flac__decode_samples__lpc functionality of Miniaudio miniaudio v0.11.21. A specially crafted .flac file can lead to memory corruption. An attacker can provide a malicious file to trigger this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2025

CVE-2024-10930
Publication date:
04/03/2025
An Uncontrolled Search Path Element vulnerability exists which could allow a malicious actor to perform DLL hijacking and execute arbitrary code with escalated privileges.
Severity CVSS v4.0: HIGH
Last modification:
05/02/2026

CVE-2025-27507
Publication date:
04/03/2025
The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. ZITADEL's Admin API contains Insecure Direct Object Reference (IDOR) vulnerabilities that allow authenticated users, without specific IAM roles, to modify sensitive settings. While several endpoints are affected, the most critical vulnerability lies in the ability to manipulate LDAP configurations. Customers who do not utilize LDAP for authentication are not at risk from the most severe aspects of this vulnerability. However, upgrading to the patched version to address all identified issues is strongly recommended. This vulnerability is fixed in 2.71.0, 2.70.1, ,2.69.4, 2.68.4, 2.67.8, 2.66.11, 2.65.6, 2.64.5, and 2.63.8.
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2025

CVE-2025-27401
Publication date:
04/03/2025
Tuleap is an Open Source Suite to improve management of software developments and collaboration. In a standard usages of Tuleap, the issue has a limited impact, it will mostly leave dangling data. However, a malicious user could create and delete reports multiple times to cycle through all the filters of all reports of the instance and delete them. The malicious user only needs to have access to one tracker. This would result in the loss of all criteria filters forcing users and tracker admins to re-create them. This vulnerability is fixed in Tuleap Community Edition 16.4.99.1740498975 and Tuleap Enterprise Edition 16.4-6 and 16.3-11.
Severity CVSS v4.0: Pending analysis
Last modification:
22/08/2025

CVE-2025-27402
Publication date:
04/03/2025
Tuleap is an Open Source Suite to improve management of software developments and collaboration. Tuleap is missing CSRF protections on tracker fields administrative operations. An attacker could use this vulnerability to trick victims into removing or updating tracker fields. This vulnerability is fixed in Tuleap Community Edition 16.4.99.1740414959 and Tuleap Enterprise Edition 16.4-6 and 16.3-11.
Severity CVSS v4.0: Pending analysis
Last modification:
22/08/2025

CVE-2025-26091
Publication date:
04/03/2025
A Cross Site Scripting (XSS) vulnerability exists in TeamPasswordManager v12.162.284 and before that could allow a remote attacker to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the 'name' parameter when creating a new password in the "My Passwords" page.
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2025

CVE-2025-26182
Publication date:
04/03/2025
An issue in xxyopen novel plus v.4.4.0 and before allows a remote attacker to execute arbitrary code via the PageController.java file
Severity CVSS v4.0: Pending analysis
Last modification:
24/06/2025

CVE-2025-27150
Publication date:
04/03/2025
Tuleap is an Open Source Suite to improve management of software developments and collaboration. The password to connect the Redis instance is not purged from the archive generated with tuleap collect-system-data. These archives are likely to be used by support teams that should not have access to this password. The vulnerability is fixed in Tuleap Community Edition 16.4.99.1740492866 and Tuleap Enterprise Edition 16.4-6 and 16.3-11.
Severity CVSS v4.0: Pending analysis
Last modification:
22/08/2025

CVE-2025-27155
Publication date:
04/03/2025
Pinecone is an experimental overlay routing protocol suite which is the foundation of the current P2P Matrix demos. The Pinecone Simulator (pineconesim) included in Pinecone up to commit ea4c337 is vulnerable to stored cross-site scripting. The payload storage is not permanent and will be wiped when restarting pineconesim.
Severity CVSS v4.0: Pending analysis
Last modification:
04/03/2025

CVE-2025-27156
Publication date:
04/03/2025
Tuleap is an Open Source Suite to improve management of software developments and collaboration. The mass emailing features do not sanitize the content of the HTML emails. A malicious user could use this issue to facilitate a phishing attempt or to indirectly exploit issues in the recipients mail clients. This vulnerability is fixed in Tuleap Community Edition 16.4.99.1740567344 and Tuleap Enterprise Edition 16.4-6 and 16.3-11.
Severity CVSS v4.0: Pending analysis
Last modification:
22/08/2025
Subscribe to Vulnerabilities