Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-28752

Publication date:
15/03/2024
A SSRF vulnerability using the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3 and 3.5.8 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. Users of other data bindings (including the default databinding) are not impacted.
Severity CVSS v4.0: Pending analysis
Last modification:
27/06/2025

CVE-2024-23944

Publication date:
15/03/2024
Information disclosure in persistent watchers handling in Apache ZooKeeper due to missing ACL check. It allows an attacker to monitor child znodes by attaching a persistent watcher (addWatch command) to a parent which the attacker has already access to. ZooKeeper server doesn&amp;#39;t do ACL check when the persistent watcher is triggered and as a consequence, the full path of znodes that a watch event gets triggered upon is exposed to the owner of the watcher. It&amp;#39;s important to note that only the path is exposed by this vulnerability, not the data of znode, but since znode path can contain sensitive information like user name or login ID, this issue is potentially critical.<br /> <br /> Users are recommended to upgrade to version 3.9.2, 3.8.4 which fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2025

CVE-2024-2490

Publication date:
15/03/2024
A vulnerability classified as critical was found in Tenda AC18 15.03.05.05. Affected by this vulnerability is the function setSchedWifi of the file /goform/openSchedWifi. The manipulation of the argument schedStartTime/schedEndTime leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-256897 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: Pending analysis
Last modification:
14/01/2025

CVE-2024-2450

Publication date:
15/03/2024
Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to correctly verify account ownership when switching from email to SAML authentication, allowing an authenticated attacker to take over other user accounts via a crafted switch request under specific conditions.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
13/12/2024

CVE-2024-2446

Publication date:
15/03/2024
Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to limit the number of @-mentions processed per message, allowing an authenticated attacker to crash the client applications of other users via large, crafted messages.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
13/12/2024

CVE-2024-2445

Publication date:
15/03/2024
Mattermost Jira plugin versions shipped with Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to escape user-controlled outputs when generating HTML pages, which allows an attacker to perform reflected cross-site scripting attacks against the users of the Mattermost server.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
13/12/2024

CVE-2024-2488

Publication date:
15/03/2024
A vulnerability was found in Tenda AC18 15.03.05.05. It has been rated as critical. This issue affects the function formSetPPTPServer of the file /goform/SetPptpServerCfg. The manipulation of the argument startIP leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-256895. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: Pending analysis
Last modification:
14/01/2025

CVE-2024-2489

Publication date:
15/03/2024
A vulnerability classified as critical has been found in Tenda AC18 15.03.05.05. Affected is the function formSetQosBand of the file /goform/SetNetControlList. The manipulation of the argument list leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-256896. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: Pending analysis
Last modification:
14/01/2025

CVE-2024-2487

Publication date:
15/03/2024
A vulnerability was found in Tenda AC18 15.03.05.05. It has been declared as critical. This vulnerability affects the function formSetDeviceName of the file /goform/SetOnlineDevName. The manipulation of the argument devName/mac leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-256894 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: Pending analysis
Last modification:
14/01/2025

CVE-2024-28053

Publication date:
15/03/2024
Resource Exhaustion in Mattermost Server versions 8.1.x before 8.1.10 fails to limit the size of the payload that can be read and parsed allowing an attacker to send a very large email payload and crash the server.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
13/12/2024

CVE-2024-24975

Publication date:
15/03/2024
Uncontrolled Resource Consumption in Mattermost Mobile versions before 2.13.0 fails to limit the size of the code block that will be processed by the syntax highlighter, allowing an attacker to send a very large code block and crash the mobile app.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
21/01/2025

CVE-2024-2486

Publication date:
15/03/2024
A vulnerability was found in Tenda AC18 15.03.05.05. It has been classified as critical. This affects the function formQuickIndex of the file /goform/QuickIndex. The manipulation of the argument PPPOEPassword leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-256893 was assigned to this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
14/01/2025