Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-50268
Publication date:
19/11/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: typec: fix potential out of bounds in ucsi_ccg_update_set_new_cam_cmd()<br /> <br /> The "*cmd" variable can be controlled by the user via debugfs. That means<br /> "new_cam" can be as high as 255 while the size of the uc-&gt;updated[] array<br /> is UCSI_MAX_ALTMODES (30).<br /> <br /> The call tree is:<br /> ucsi_cmd() // val comes from simple_attr_write_xsigned()<br /> -&gt; ucsi_send_command()<br /> -&gt; ucsi_send_command_common()<br /> -&gt; ucsi_run_command() // calls ucsi-&gt;ops-&gt;sync_control()<br /> -&gt; ucsi_ccg_sync_control()
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2024-50269
Publication date:
19/11/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: musb: sunxi: Fix accessing an released usb phy<br /> <br /> Commit 6ed05c68cbca ("usb: musb: sunxi: Explicitly release USB PHY on<br /> exit") will cause that usb phy @glue-&gt;xceiv is accessed after released.<br /> <br /> 1) register platform driver @sunxi_musb_driver<br /> // get the usb phy @glue-&gt;xceiv<br /> sunxi_musb_probe() -&gt; devm_usb_get_phy().<br /> <br /> 2) register and unregister platform driver @musb_driver<br /> musb_probe() -&gt; sunxi_musb_init()<br /> use the phy here<br /> //the phy is released here<br /> musb_remove() -&gt; sunxi_musb_exit() -&gt; devm_usb_put_phy()<br /> <br /> 3) register @musb_driver again<br /> musb_probe() -&gt; sunxi_musb_init()<br /> use the phy here but the phy has been released at 2).<br /> ...<br /> <br /> Fixed by reverting the commit, namely, removing devm_usb_put_phy()<br /> from sunxi_musb_exit().
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2023-52921
Publication date:
19/11/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amdgpu: fix possible UAF in amdgpu_cs_pass1()<br /> <br /> Since the gang_size check is outside of chunk parsing<br /> loop, we need to reset i before we free the chunk data.<br /> <br /> Suggested by Ye Zhang (@VAR10CK) of Baidu Security.
Severity CVSS v4.0: Pending analysis
Last modification:
19/06/2025

CVE-2024-51940
Publication date:
18/11/2024
Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in Sohelwpexpert WP Responsive Video my-wp-responsive-video allows DOM-Based XSS.This issue affects WP Responsive Video: from n/a through
Severity CVSS v4.0: Pending analysis
Last modification:
01/04/2026

CVE-2024-52339
Publication date:
18/11/2024
Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in Maximilian Ruthe Mage Front End Forms mage-forms allows Stored XSS.This issue affects Mage Front End Forms: from n/a through
Severity CVSS v4.0: Pending analysis
Last modification:
01/04/2026

CVE-2024-52340
Publication date:
18/11/2024
Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in MartyThornley Photographer Connections photographer-connections allows Stored XSS.This issue affects Photographer Connections: from n/a through
Severity CVSS v4.0: Pending analysis
Last modification:
01/04/2026

CVE-2024-33231
Publication date:
18/11/2024
Cross Site Scripting vulnerability in Ferozo Email version 1.1 allows a local attacker to execute arbitrary code via a crafted payload to the PDF preview component.
Severity CVSS v4.0: Pending analysis
Last modification:
19/11/2024

CVE-2024-51939
Publication date:
18/11/2024
Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in Santhosh veer Stylish Internal Links stylish-internal-links allows DOM-Based XSS.This issue affects Stylish Internal Links: from n/a through
Severity CVSS v4.0: Pending analysis
Last modification:
01/04/2026

CVE-2024-52587
Publication date:
18/11/2024
StepSecurity&amp;#39;s Harden-Runner provides network egress filtering and runtime security for GitHub-hosted and self-hosted runners. Versions of step-security/harden-runner prior to v2.10.2 contain multiple command injection weaknesses via environment variables that could potentially be exploited under specific conditions. However, due to the current execution order of pre-steps in GitHub Actions and the placement of harden-runner as the first step in a job, the likelihood of exploitation is low as the Harden-Runner action reads the environment variable during the pre-step stage. There are no known exploits at this time. Version 2.10.2 contains a patch.
Severity CVSS v4.0: LOW
Last modification:
19/11/2024

CVE-2024-52418
Publication date:
18/11/2024
Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in CactusThemes Gameplan gameplan allows Reflected XSS.This issue affects Gameplan: from n/a through
Severity CVSS v4.0: Pending analysis
Last modification:
01/04/2026

CVE-2024-52349
Publication date:
18/11/2024
Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in Md. Shiddikur Rahman Awesome Tool Tip awesome-tool-tip allows DOM-Based XSS.This issue affects Awesome Tool Tip: from n/a through
Severity CVSS v4.0: Pending analysis
Last modification:
01/04/2026

CVE-2024-52389
Publication date:
18/11/2024
Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in wpjobportal WP Job Portal wp-job-portal allows Stored XSS.This issue affects WP Job Portal: from n/a through
Severity CVSS v4.0: Pending analysis
Last modification:
01/04/2026
Subscribe to Vulnerabilities