Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-47160
Publication date:
19/09/2024
In JetBrains YouTrack before 2024.3.44799 access to global app config data without appropriate permissions was possible
Severity CVSS v4.0: Pending analysis
Last modification:
24/09/2024

CVE-2024-47162
Publication date:
19/09/2024
In JetBrains YouTrack before 2024.3.44799 token could be revealed on Imports page
Severity CVSS v4.0: Pending analysis
Last modification:
24/09/2024

CVE-2024-8963
Publication date:
19/09/2024
Path Traversal in the Ivanti CSA before 4.6 Patch 519 allows a remote unauthenticated attacker to access restricted functionality.
Severity CVSS v4.0: Pending analysis
Last modification:
24/10/2025

CVE-2024-47159
Publication date:
19/09/2024
In JetBrains YouTrack before 2024.3.44799 user without appropriate permissions could restore workflows attached to a project
Severity CVSS v4.0: Pending analysis
Last modification:
24/09/2024

CVE-2024-8651
Publication date:
19/09/2024
A vulnerability in NetCat CMS allows an attacker to send a specially crafted http request that can be used to check whether a user exists in the system, which could be a basis for further attacks.<br /> This issue affects NetCat CMS v. 6.4.0.24126.2 and possibly others.<br /> <br /> Apply patch from vendor https://netcat.ru/ https://netcat.ru/] . Versions 6.4.0.24248 and on have the patch.
Severity CVSS v4.0: Pending analysis
Last modification:
23/09/2024

CVE-2024-8652
Publication date:
19/09/2024
A vulnerability in NetCat CMS allows an attacker to execute JavaScript code in a user&amp;#39;s browser when they visit specific path on the site.<br /> This issue affects NetCat CMS v. 6.4.0.24126.2 and possibly others.<br /> <br /> Apply patch from vendor https://netcat.ru/ https://netcat.ru/] . Versions 6.4.0.24248 and on have the patch.
Severity CVSS v4.0: Pending analysis
Last modification:
23/09/2024

CVE-2024-8653
Publication date:
19/09/2024
A vulnerability in NetCat CMS allows an attacker to execute JavaScript code in a user&amp;#39;s browser when they visit specific paths on the site.<br /> This issue affects NetCat CMS v. 6.4.0.24126.2 and possibly others.<br /> <br /> Apply patch from vendor https://netcat.ru/ https://netcat.ru/] . Versions 6.4.0.24248 and on have the patch.
Severity CVSS v4.0: Pending analysis
Last modification:
23/09/2024

CVE-2024-31570
Publication date:
19/09/2024
libfreeimage in FreeImage 3.4.0 through 3.18.0 has a stack-based buffer overflow in the PluginXPM.cpp Load function via an XPM file.
Severity CVSS v4.0: Pending analysis
Last modification:
25/09/2024

CVE-2024-38016
Publication date:
19/09/2024
Microsoft Office Visio Remote Code Execution Vulnerability
Severity CVSS v4.0: Pending analysis
Last modification:
24/09/2024

CVE-2024-8375
Publication date:
19/09/2024
There exists a use after free vulnerability in Reverb. Reverb supports the VARIANT datatype, which is supposed to represent an arbitrary object in C++. When a tensor proto of type VARIANT is unpacked, memory is first allocated to store the entire tensor, and a ctor is called on each instance. Afterwards, Reverb copies the content in tensor_content to the previously mentioned pre-allocated memory, which results in the bytes in tensor_content overwriting the vtable pointers of all the objects which were previously allocated. Reverb exposes 2 relevant gRPC endpoints: InsertStream and SampleStream. The attacker can insert this stream into the server’s database, then when the client next calls SampleStream they will unpack the tensor into RAM, and when any method on that object is called (including its destructor) the attacker gains control of the Program Counter. We recommend upgrading past git commit  https://github.com/google-deepmind/reverb/commit/6a0dcf4c9e842b7f999912f792aaa6f6bd261a25
Severity CVSS v4.0: MEDIUM
Last modification:
22/07/2025

CVE-2024-8698
Publication date:
19/09/2024
A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for specific assertions based on the position of the signature in the XML document, rather than the Reference element used to specify the signed element. This flaw allows attackers to create crafted responses that can bypass the validation, potentially leading to privilege escalation or impersonation attacks.
Severity CVSS v4.0: Pending analysis
Last modification:
12/12/2024

CVE-2024-8883
Publication date:
19/09/2024
A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a &amp;#39;Valid Redirect URI&amp;#39; is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking.
Severity CVSS v4.0: Pending analysis
Last modification:
26/11/2024
Subscribe to Vulnerabilities