Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-55930
Publication date:
23/01/2025
Xerox Workplace Suite has weak default folder permissions that allow unauthorized users to access, modify, or delete files
Severity CVSS v4.0: Pending analysis
Last modification:
30/01/2026

CVE-2024-55928
Publication date:
23/01/2025
Xerox Workplace Suite exposes sensitive secrets in clear text, both locally and remotely. This vulnerability allows attackers to intercept or access secrets without encryption
Severity CVSS v4.0: Pending analysis
Last modification:
28/02/2026

CVE-2024-55926
Publication date:
23/01/2025
A vulnerability found in Xerox Workplace Suite allows arbitrary file read, upload, and deletion on the server through crafted header manipulation. By exploiting improper validation of headers, attackers can gain unauthorized access to data
Severity CVSS v4.0: Pending analysis
Last modification:
28/02/2026

CVE-2024-55927
Publication date:
23/01/2025
A vulnerability in Xerox Workplace Suite arises from flawed token generation and the use of hard-coded keys. These weaknesses allow attackers to predict or forge tokens, leading to unauthorized access to sensitive functions.
Severity CVSS v4.0: Pending analysis
Last modification:
28/02/2026

CVE-2024-45672
Publication date:
23/01/2025
IBM Security Verify Bridge 1.0.0 through 1.0.15 could allow a local privileged user to overwrite files due to excessive privileges granted to the agent. which could also cause a denial of service.
Severity CVSS v4.0: Pending analysis
Last modification:
14/08/2025

CVE-2025-0650
Publication date:
23/01/2025
A flaw was found in the Open Virtual Network (OVN). Specially crafted UDP packets may bypass egress access control lists (ACLs) in OVN installations configured with a logical switch with DNS records set on it and if the same switch has any egress ACLs configured. This issue can lead to unauthorized access to virtual machines and containers running on the OVN network.
Severity CVSS v4.0: Pending analysis
Last modification:
06/02/2025

CVE-2024-55925
Publication date:
23/01/2025
In Xerox Workplace Suite, an API restricted to specific hosts can be bypassed by manipulating the Host header. If the server improperly validates or trusts the Host header without verifying the actual destination, an attacker can forge a value to gain unauthorized access. This exploit targets improper host validation, potentially exposing sensitive API endpoints.
Severity CVSS v4.0: Pending analysis
Last modification:
28/02/2026

CVE-2024-52328
Publication date:
23/01/2025
ECOVACS robot lawnmowers and vacuums insecurely store audio files used to indicate that the camera is on. An attacker with access to the /data filesystem can delete or modify warning files such that users may not be aware that the camera is on.
Severity CVSS v4.0: LOW
Last modification:
23/09/2025

CVE-2024-52329
Publication date:
23/01/2025
ECOVACS HOME mobile app plugins for specific robots do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic and obtain authentication tokens.
Severity CVSS v4.0: CRITICAL
Last modification:
23/09/2025

CVE-2024-52330
Publication date:
23/01/2025
ECOVACS lawnmowers and vacuums do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic, possibly modifying firmware updates.
Severity CVSS v4.0: CRITICAL
Last modification:
23/09/2025

CVE-2024-52331
Publication date:
23/01/2025
ECOVACS robot lawnmowers and vacuums use a deterministic symmetric key to decrypt firmware updates. An attacker can create and encrypt malicious firmware that will be successfully decrypted and installed by the robot.
Severity CVSS v4.0: HIGH
Last modification:
02/10/2025

CVE-2024-12078
Publication date:
23/01/2025
ECOVACS robot lawn mowers and vacuums use a shared, static secret key to encrypt BLE GATT messages. An unauthenticated attacker within BLE range can control any robot using the same key.
Severity CVSS v4.0: MEDIUM
Last modification:
23/09/2025
Subscribe to Vulnerabilities