Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-54879

Publication date:
06/01/2025
SeaCMS V13.1 is vulnerable to Incorrect Access Control. A logic flaw can be exploited by an attacker to allow any user to recharge members indefinitely.
Severity CVSS v4.0: Pending analysis
Last modification:
28/03/2025

CVE-2024-46622

Publication date:
06/01/2025
An Escalation of Privilege security vulnerability was found in SecureAge Security Suite software 7.0.x before 7.0.38, 7.1.x before 7.1.11, 8.0.x before 8.0.18, and 8.1.x before 8.1.18 that allows arbitrary file creation, modification and deletion.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2024-46073

Publication date:
06/01/2025
A reflected Cross-Site Scripting (XSS) vulnerability exists in the login page of IceHRM v32.4.0.OS. The vulnerability is due to improper sanitization of the "next" parameter, which is included in the application's response without adequate escaping. An attacker can exploit this flaw by tricking a user into visiting a specially crafted URL, causing the execution of arbitrary JavaScript code in the context of the victim's browser. The issue occurs even though the application has sanitization mechanisms in place.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-21613

Publication date:
06/01/2025
go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. This vulnerability is fixed in 5.13.0.
Severity CVSS v4.0: CRITICAL
Last modification:
17/04/2025

CVE-2025-21614

Publication date:
06/01/2025
go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
30/09/2025

CVE-2025-21615

Publication date:
06/01/2025
AAT (Another Activity Tracker) is a GPS-tracking application for tracking sportive activities, with emphasis on cycling. Versions lower than v1.26 of AAT are vulnerable to data exfiltration from malicious apps installed on the same device.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2025-21618

Publication date:
06/01/2025
NiceGUI is an easy-to-use, Python-based UI framework. Prior to 2.9.1, authenticating with NiceGUI logged in the user for all browsers, including browsers in incognito mode. This vulnerability is fixed in 2.9.1.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2024-56769

Publication date:
06/01/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: dvb-frontends: dib3000mb: fix uninit-value in dib3000_write_reg<br /> <br /> Syzbot reports [1] an uninitialized value issue found by KMSAN in<br /> dib3000_read_reg().<br /> <br /> Local u8 rb[2] is used in i2c_transfer() as a read buffer; in case<br /> that call fails, the buffer may end up with some undefined values.<br /> <br /> Since no elaborate error handling is expected in dib3000_write_reg(),<br /> simply zero out rb buffer to mitigate the problem.<br /> <br /> [1] Syzkaller report<br /> dvb-usb: bulk message failed: -22 (6/0)<br /> =====================================================<br /> BUG: KMSAN: uninit-value in dib3000mb_attach+0x2d8/0x3c0 drivers/media/dvb-frontends/dib3000mb.c:758<br /> dib3000mb_attach+0x2d8/0x3c0 drivers/media/dvb-frontends/dib3000mb.c:758<br /> dibusb_dib3000mb_frontend_attach+0x155/0x2f0 drivers/media/usb/dvb-usb/dibusb-mb.c:31<br /> dvb_usb_adapter_frontend_init+0xed/0x9a0 drivers/media/usb/dvb-usb/dvb-usb-dvb.c:290<br /> dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:90 [inline]<br /> dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:186 [inline]<br /> dvb_usb_device_init+0x25a8/0x3760 drivers/media/usb/dvb-usb/dvb-usb-init.c:310<br /> dibusb_probe+0x46/0x250 drivers/media/usb/dvb-usb/dibusb-mb.c:110<br /> ...<br /> Local variable rb created at:<br /> dib3000_read_reg+0x86/0x4e0 drivers/media/dvb-frontends/dib3000mb.c:54<br /> dib3000mb_attach+0x123/0x3c0 drivers/media/dvb-frontends/dib3000mb.c:758<br /> ...
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2024-56766

Publication date:
06/01/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mtd: rawnand: fix double free in atmel_pmecc_create_user()<br /> <br /> The "user" pointer was converted from being allocated with kzalloc() to<br /> being allocated by devm_kzalloc(). Calling kfree(user) will lead to a<br /> double free.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2024-56767

Publication date:
06/01/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dmaengine: at_xdmac: avoid null_prt_deref in at_xdmac_prep_dma_memset<br /> <br /> The at_xdmac_memset_create_desc may return NULL, which will lead to a<br /> null pointer dereference. For example, the len input is error, or the<br /> atchan-&gt;free_descs_list is empty and memory is exhausted. Therefore, add<br /> check to avoid this.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2024-56768

Publication date:
06/01/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Fix bpf_get_smp_processor_id() on !CONFIG_SMP<br /> <br /> On x86-64 calling bpf_get_smp_processor_id() in a kernel with CONFIG_SMP<br /> disabled can trigger the following bug, as pcpu_hot is unavailable:<br /> <br /> [ 8.471774] BUG: unable to handle page fault for address: 00000000936a290c<br /> [ 8.471849] #PF: supervisor read access in kernel mode<br /> [ 8.471881] #PF: error_code(0x0000) - not-present page<br /> <br /> Fix by inlining a return 0 in the !CONFIG_SMP case.
Severity CVSS v4.0: Pending analysis
Last modification:
01/10/2025

CVE-2024-56763

Publication date:
06/01/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tracing: Prevent bad count for tracing_cpumask_write<br /> <br /> If a large count is provided, it will trigger a warning in bitmap_parse_user.<br /> Also check zero for it.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025