Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-53863
Publication date:
03/12/2024
Synapse is an open-source Matrix homeserver. In Synapse versions before 1.120.1, enabling the dynamic_thumbnails option or processing a specially crafted request could trigger the decoding and thumbnail generation of uncommon image formats, potentially invoking external tools like Ghostscript for processing. This significantly expands the attack surface in a historically vulnerable area, presenting a risk that far outweighs the benefit, particularly since these formats are rarely used on the open web or within the Matrix ecosystem. Synapse 1.120.1 addresses the issue by restricting thumbnail generation to images in the following widely used formats: PNG, JPEG, GIF, and WebP. This vulnerability is fixed in 1.120.1.
Severity CVSS v4.0: HIGH
Last modification:
26/08/2025

CVE-2024-53867
Publication date:
03/12/2024
Synapse is an open-source Matrix homeserver. The Sliding Sync feature on Synapse versions between 1.113.0rc1 and 1.120.0 can leak partial room state changes to users no longer in a room. Non-state events, like messages, are unaffected. This vulnerability is fixed in 1.120.1.
Severity CVSS v4.0: Pending analysis
Last modification:
03/12/2024

CVE-2024-40691
Publication date:
03/12/2024
IBM Cognos Controller 11.0.0 and 11.0.1 <br /> <br /> could be vulnerable to malicious file upload by not validating the content of the file uploaded to the web interface. Attackers can make use of this weakness and upload malicious executable files into the system, and it can be sent to victim for performing further attacks.
Severity CVSS v4.0: Pending analysis
Last modification:
11/12/2024

CVE-2024-29404
Publication date:
03/12/2024
An issue in Razer Synapse 3 v.3.9.131.20813 and Synapse 3 App v.20240213 allows a local attacker to execute arbitrary code via the export parameter of the Chroma Effects function in the Profiles component.
Severity CVSS v4.0: Pending analysis
Last modification:
13/12/2024

CVE-2024-37302
Publication date:
03/12/2024
Synapse is an open-source Matrix homeserver. Synapse versions before 1.106 are vulnerable to a disk fill attack, where an unauthenticated adversary can induce Synapse to download and cache large amounts of remote media. The default rate limit strategy is insufficient to mitigate this. This can lead to a denial of service, ranging from further media uploads/downloads failing to completely unavailability of the Synapse process, depending on how Synapse was deployed. Synapse 1.106 introduces a new "leaky bucket" rate limit on remote media downloads to reduce the amount of data a user can request at a time. This does not fully address the issue, but does limit an unauthenticated user&amp;#39;s ability to request large amounts of data to be cached.
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2025

CVE-2024-37303
Publication date:
03/12/2024
Synapse is an open-source Matrix homeserver. Synapse before version 1.106 allows, by design, unauthenticated remote participants to trigger a download and caching of remote media from a remote homeserver to the local media repository. Such content then also becomes available for download from the local homeserver in an unauthenticated way. The implication is that unauthenticated remote adversaries can use this functionality to plant problematic content into the media repository. Synapse 1.106 introduces a partial mitigation in the form of new endpoints which require authentication for media downloads. The unauthenticated endpoints will be frozen in a future release, closing the attack vector.
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2025

CVE-2024-25019
Publication date:
03/12/2024
IBM Cognos Controller 11.0.0 and 11.0.1 <br /> <br /> could be vulnerable to malicious file upload by not validating the type of file uploaded to Journal entry attachments. Attackers can make use of this weakness and upload malicious executable files into the system that can be sent to victims for performing further attacks.
Severity CVSS v4.0: Pending analysis
Last modification:
11/12/2024

CVE-2024-25035
Publication date:
03/12/2024
IBM Cognos Controller 11.0.0 and 11.0.1 <br /> <br /> <br /> <br /> exposes server details that could allow an attacker to obtain information of the application environment to conduct further attacks.
Severity CVSS v4.0: Pending analysis
Last modification:
11/12/2024

CVE-2024-25036
Publication date:
03/12/2024
IBM Cognos Controller 11.0.0 and 11.0.1 <br /> <br /> <br /> <br /> <br /> <br /> could allow an authenticated user with local access to bypass security allowing users to circumvent restrictions imposed on input fields.
Severity CVSS v4.0: Pending analysis
Last modification:
11/12/2024

CVE-2021-29892
Publication date:
03/12/2024
IBM Cognos Controller 11.0.0 and 11.0.1 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques.
Severity CVSS v4.0: Pending analysis
Last modification:
11/12/2024

CVE-2024-53999
Publication date:
03/12/2024
Mobile Security Framework (MobSF) is a pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. The application allows users to upload files with scripts in the filename parameter. As a result, a malicious user can upload a script file to the system. When users in the application use the "Diff or Compare" functionality, they are affected by a Stored Cross-Site Scripting vulnerability. This vulnerability is fixed in 4.2.9.
Severity CVSS v4.0: Pending analysis
Last modification:
27/06/2025

CVE-2024-54000
Publication date:
03/12/2024
Mobile Security Framework (MobSF) is a pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. In versions prior to 3.9.7, the requests.get() request in the _check_url method is specified as allow_redirects=True, which allows a server-side request forgery when a request to .well-known/assetlinks.json" returns a 302 redirect. This is a bypass of the fix for CVE-2024-29190 and is fixed in 3.9.7.
Severity CVSS v4.0: Pending analysis
Last modification:
27/06/2025
Subscribe to Vulnerabilities