Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-39314
Publication date:
01/07/2024
toy-blog is a headless content management system implementation. Starting in version 0.4.3 and prior to version 0.5.0, the administrative password was leaked through the command line parameter. The problem was patched in version 0.5.0. As a workaround, pass `--read-bearer-token-from-stdin` to the launch arguments and feed the token from the standard input in version 0.4.14 or later. Earlier versions do not have this workaround.
Severity CVSS v4.0: Pending analysis
Last modification:
02/07/2024

CVE-2024-23736
Publication date:
01/07/2024
Cross Site Request Forgery (CSRF) vulnerability in savignano S/Notify before 4.0.2 for Confluence allows attackers to manipulate a user's S/MIME certificate of PGP key via malicious link or email.
Severity CVSS v4.0: Pending analysis
Last modification:
11/07/2024

CVE-2024-23737
Publication date:
01/07/2024
Cross Site Request Forgery (CSRF) vulnerability in savignano S/Notify before 4.0.2 for Jira allows attackers to allows attackers to manipulate a user's S/MIME certificate of PGP key via malicious link or email.
Severity CVSS v4.0: Pending analysis
Last modification:
18/03/2025

CVE-2024-37762
Publication date:
01/07/2024
MachForm up to version 21 is affected by an authenticated unrestricted file upload which leads to a remote code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
30/04/2025

CVE-2024-38367
Publication date:
01/07/2024
trunk.cocoapods.org is the authentication server for the CoacoaPods dependency manager. Prior to commit d4fa66f49cedab449af9a56a21ab40697b9f7b97, the trunk sessions verification step could be manipulated for owner session hijacking Compromising a victim’s session will result in a full takeover of the CocoaPods trunk account. The threat actor could manipulate their pod specifications, disrupt the distribution of legitimate libraries, or cause widespread disruption within the CocoaPods ecosystem. This was patched server-side with commit d4fa66f49cedab449af9a56a21ab40697b9f7b97 in October 2023.
Severity CVSS v4.0: Pending analysis
Last modification:
18/09/2024

CVE-2024-38368
Publication date:
01/07/2024
trunk.cocoapods.org is the authentication server for the CoacoaPods dependency manager. A vulnerability affected older pods which migrated from the pre-2014 pull request workflow to trunk. If the pods had never been claimed then it was still possible to do so. It was also possible to have all owners removed from a pod, and that made the pod available for the same claiming system. This was patched server-side in commit 71be5440906b6bdfbc0bcc7f8a9fec33367ea0f4 in September 2023.
Severity CVSS v4.0: Pending analysis
Last modification:
18/09/2024

CVE-2024-39305
Publication date:
01/07/2024
Envoy is a cloud-native, open source edge and service proxy. Prior to versions 1.30.4, 1.29.7, 1.28.5, and 1.27.7. Envoy references already freed memory when route hash policy is configured with cookie attributes. Note that this vulnerability has been fixed in the open as the effect would be immediately apparent if it was configured. Memory allocated for holding attribute values is freed after configuration was parsed. During request processing Envoy will attempt to copy content of de-allocated memory into request cookie header. This can lead to arbitrary content of Envoy's memory to be sent to the upstream service or abnormal process termination. This vulnerability is fixed in Envoy versions v1.30.4, v1.29.7, v1.28.5, and v1.27.7. As a workaround, do not use cookie attributes in route action hash policy.
Severity CVSS v4.0: Pending analysis
Last modification:
02/09/2025

CVE-2024-5322
Publication date:
01/07/2024
The N-central server is vulnerable to session rebinding of already authenticated users when using Entra SSO, which can lead to authentication bypass.<br /> <br /> This vulnerability is present in all Entra-supported deployments of N-central prior to 2024.3.
Severity CVSS v4.0: Pending analysis
Last modification:
08/09/2025

CVE-2024-28200
Publication date:
01/07/2024
The N-central server is vulnerable to an authentication bypass of the user interface. This vulnerability is present in all deployments of N-central prior to 2024.2.<br /> <br /> This vulnerability was discovered through internal N-central source code review and N-able has not observed any exploitation in the wild.
Severity CVSS v4.0: Pending analysis
Last modification:
22/08/2024

CVE-2024-32228
Publication date:
01/07/2024
FFmpeg 7.0 is vulnerable to Buffer Overflow. There is a SEGV at libavcodec/hevcdec.c:2947:22 in hevc_frame_end.
Severity CVSS v4.0: Pending analysis
Last modification:
03/06/2025

CVE-2024-32229
Publication date:
01/07/2024
FFmpeg 7.0 contains a heap-buffer-overflow at libavfilter/vf_tiltandshift.c:189:5 in copy_column.
Severity CVSS v4.0: Pending analysis
Last modification:
03/06/2025

CVE-2024-32230
Publication date:
01/07/2024
FFmpeg 7.0 is vulnerable to Buffer Overflow. There is a negative-size-param bug at libavcodec/mpegvideo_enc.c:1216:21 in load_input_picture in FFmpeg7.0
Severity CVSS v4.0: Pending analysis
Last modification:
14/03/2025
Subscribe to Vulnerabilities