Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-36441
Publication date:
22/08/2024
Swissphone DiCal-RED 4009 devices allow an unauthenticated attacker use a port-2101 TCP connection to gain access to operation messages that are received by the device.
Severity CVSS v4.0: Pending analysis
Last modification:
23/08/2024

CVE-2024-3127
Publication date:
22/08/2024
An issue has been discovered in GitLab EE affecting all versions starting from 12.5 before 17.1.6, all versions starting from 17.2 before 17.2.4, all versions starting from 17.3 before 17.3.1. Under certain conditions it may be possible to bypass the IP restriction for groups through GraphQL allowing unauthorised users to perform some actions at the group level.
Severity CVSS v4.0: Pending analysis
Last modification:
13/12/2024

CVE-2024-40884
Publication date:
22/08/2024
Mattermost versions 9.5.x
Severity CVSS v4.0: Pending analysis
Last modification:
17/10/2024

CVE-2023-6452
Publication date:
22/08/2024
Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in Forcepoint Web Security (Transaction Viewer) allows Stored XSS.<br /> <br /> <br /> <br /> <br /> <br /> The<br /> Forcepoint Web Security portal allows administrators to generate <br /> detailed reports on user requests made through the Web proxy. It has <br /> been determined that the "user agent" field in the Transaction Viewer is<br /> vulnerable to a persistent Cross-Site Scripting (XSS) vulnerability, <br /> which can be exploited by any user who can route traffic through the <br /> Forcepoint Web proxy.<br /> <br /> This <br /> vulnerability enables unauthorized attackers to execute JavaScript <br /> within the browser context of a Forcepoint administrator, thereby <br /> allowing them to perform actions on the administrator&amp;#39;s behalf. Such a <br /> breach could lead to unauthorized access or modifications, posing a <br /> significant security risk.<br /> <br /> <br /> <br /> <br /> <br /> <br /> This issue affects Web Security: before 8.5.6.
Severity CVSS v4.0: Pending analysis
Last modification:
23/08/2024

CVE-2024-36442
Publication date:
22/08/2024
cgi-bin/fdmcgiwebv2.cgi on Swissphone DiCal-RED 4009 devices allows an authenticated attacker to gain access to arbitrary files on the device&amp;#39;s file system.
Severity CVSS v4.0: Pending analysis
Last modification:
23/08/2024

CVE-2024-36444
Publication date:
22/08/2024
cgi-bin/fdmcgiwebv2.cgi on Swissphone DiCal-RED 4009 devices allows an unauthenticated attacker to gain access to device logs.
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2024

CVE-2024-36445
Publication date:
22/08/2024
Swissphone DiCal-RED 4009 devices allow a remote attacker to gain a root shell via TELNET without authentication.
Severity CVSS v4.0: Pending analysis
Last modification:
23/08/2024

CVE-2024-43785
Publication date:
22/08/2024
gitoxide An idiomatic, lean, fast &amp; safe pure Rust implementation of Git. gitoxide-core, which provides most underlying functionality of the gix and ein commands, does not neutralize newlines, backspaces, or control characters—including those that form ANSI escape sequences—that appear in a repository&amp;#39;s paths, author and committer names, commit messages, or other metadata. Such text may be written as part of the output of a command, as well as appearing in error messages when an operation fails. This sometimes allows an untrusted repository to misrepresent its contents and to alter or concoct error messages.
Severity CVSS v4.0: Pending analysis
Last modification:
23/08/2024

CVE-2024-43787
Publication date:
22/08/2024
Hono is a Web application framework that provides support for any JavaScript runtime. Hono CSRF middleware can be bypassed using crafted Content-Type header. MIME types are case insensitive, but isRequestedByFormElementRe only matches lower-case. As a result, attacker can bypass csrf middleware using upper-case form-like MIME type. This vulnerability is fixed in 4.5.8.
Severity CVSS v4.0: Pending analysis
Last modification:
17/09/2025

CVE-2024-43398
Publication date:
22/08/2024
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes. If you need to parse untrusted XMLs with tree parser API like REXML::Document.new, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected. The REXML gem 3.3.6 or later include the patch to fix the vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2024-36439
Publication date:
22/08/2024
Swissphone DiCal-RED 4009 devices allow a remote attacker to gain access to the administrative web interface via the device password&amp;#39;s hash value, without knowing the actual device password.
Severity CVSS v4.0: Pending analysis
Last modification:
23/08/2024

CVE-2024-36440
Publication date:
22/08/2024
An issue was discovered on Swissphone DiCal-RED 4009 devices. An attacker with access to the file /etc/deviceconfig may recover the administrative device password via password-cracking methods, because unsalted MD5 is used.
Severity CVSS v4.0: Pending analysis
Last modification:
23/08/2024
Subscribe to Vulnerabilities