Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-48871
Publication date:
06/12/2024
The affected product is vulnerable to a stack-based buffer overflow. An unauthenticated attacker could send a malicious HTTP request that the webserver fails to properly check input size before copying data to the stack, potentially allowing remote code execution.
Severity CVSS v4.0: CRITICAL
Last modification:
06/12/2024

CVE-2024-51727
Publication date:
06/12/2024
Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x contains a feature that could enable attackers to invalidate a legitimate user's session and cause a denial-of-service attack on a user's account.
Severity CVSS v4.0: HIGH
Last modification:
10/12/2024

CVE-2024-52320
Publication date:
06/12/2024
The affected product is vulnerable to a command injection. An unauthenticated attacker could send commands through a malicious HTTP request which could result in remote code execution.
Severity CVSS v4.0: CRITICAL
Last modification:
06/12/2024

CVE-2024-42494
Publication date:
06/12/2024
Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x contains a a feature that could enable sub accounts or attackers to view and exfiltrate sensitive information from all cloud accounts registered to Ruijie's services
Severity CVSS v4.0: HIGH
Last modification:
10/12/2024

CVE-2024-47043
Publication date:
06/12/2024
Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x could enable an attacker to correlate a device serial number and the user's phone number and part of the email address.
Severity CVSS v4.0: HIGH
Last modification:
10/12/2024

CVE-2024-11220
Publication date:
06/12/2024
A local low-level user on the server machine with credentials to the running OAS services can create and execute a report with an rdlx file on the server system itself. Any code within the rdlx file of the report executes with SYSTEM privileges, resulting in privilege escalation.
Severity CVSS v4.0: HIGH
Last modification:
23/01/2025

CVE-2024-55268
Publication date:
06/12/2024
A Reflected Cross Site Scripting (XSS) vulnerability was found in /covidtms/registered-user-testing.php in PHPGurukul COVID 19 Testing Management System 1.0 which allows remote attackers to execute arbitrary code via the regmobilenumber parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
11/12/2024

CVE-2024-54143
Publication date:
06/12/2024
openwrt/asu is an image on demand server for OpenWrt based distributions. The request hashing mechanism truncates SHA-256 hashes to only 12 characters. This significantly reduces entropy, making it feasible for an attacker to generate collisions. By exploiting this, a previously built malicious image can be served in place of a legitimate one, allowing the attacker to "poison" the artifact cache and deliver compromised images to unsuspecting users. This can be combined with other attacks, such as a command injection in Imagebuilder that allows malicious users to inject arbitrary commands into the build process, resulting in the production of malicious firmware images signed with the legitimate build key. This has been patched with 920c8a1.
Severity CVSS v4.0: CRITICAL
Last modification:
06/12/2024

CVE-2024-54749
Publication date:
06/12/2024
Ubiquiti U7-Pro 7.0.35 was discovered to contain a hardcoded password vulnerability in /etc/shadow, which allows attackers to log in as root. NOTE: this is disputed by the Supplier because the observation only established that a password is present in a firmware image; however, the device cannot be deployed without setting a new password during installation.
Severity CVSS v4.0: Pending analysis
Last modification:
12/12/2024

CVE-2024-53691
Publication date:
06/12/2024
A link following vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained user access to traverse the file system to unintended locations.<br /> <br /> We have already fixed the vulnerability in the following versions:<br /> QTS 5.1.8.2823 build 20240712 and later<br /> QTS 5.2.0.2802 build 20240620 and later<br /> QuTS hero h5.1.8.2823 build 20240712 and later<br /> QuTS hero h5.2.0.2802 build 20240620 and later
Severity CVSS v4.0: HIGH
Last modification:
23/09/2025

CVE-2024-50404
Publication date:
06/12/2024
A link following vulnerability has been reported to affect Qsync Central. If exploited, the vulnerability could allow remote attackers who have gained user access to traverse the file system to unintended locations.<br /> <br /> We have already fixed the vulnerability in the following versions:<br /> Qsync Central 4.4.0.16_20240819 ( 2024/08/19 ) and later
Severity CVSS v4.0: MEDIUM
Last modification:
10/12/2025

CVE-2024-48868
Publication date:
06/12/2024
An improper neutralization of CRLF sequences (&amp;#39;CRLF Injection&amp;#39;) vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers to modify application data.<br /> <br /> We have already fixed the vulnerability in the following versions:<br /> QTS 5.1.9.2954 build 20241120 and later<br /> QTS 5.2.2.2950 build 20241114 and later<br /> QuTS hero h5.1.9.2954 build 20241120 and later<br /> QuTS hero h5.2.2.2952 build 20241116 and later
Severity CVSS v4.0: HIGH
Last modification:
23/09/2025
Subscribe to Vulnerabilities