Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-57933
Publication date:
21/01/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> gve: guard XSK operations on the existence of queues<br /> <br /> This patch predicates the enabling and disabling of XSK pools on the<br /> existence of queues. As it stands, if the interface is down, disabling<br /> or enabling XSK pools would result in a crash, as the RX queue pointer<br /> would be NULL. XSK pool registration will occur as part of the next<br /> interface up.<br /> <br /> Similarly, xsk_wakeup needs be guarded against queues disappearing<br /> while the function is executing, so a check against the<br /> GVE_PRIV_FLAGS_NAPI_ENABLED flag is added to synchronize with the<br /> disabling of the bit and the synchronize_net() in gve_turndown.
Severity CVSS v4.0: Pending analysis
Last modification:
01/10/2025

CVE-2024-57930
Publication date:
21/01/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tracing: Have process_string() also allow arrays<br /> <br /> In order to catch a common bug where a TRACE_EVENT() TP_fast_assign()<br /> assigns an address of an allocated string to the ring buffer and then<br /> references it in TP_printk(), which can be executed hours later when the<br /> string is free, the function test_event_printk() runs on all events as<br /> they are registered to make sure there&amp;#39;s no unwanted dereferencing.<br /> <br /> It calls process_string() to handle cases in TP_printk() format that has<br /> "%s". It returns whether or not the string is safe. But it can have some<br /> false positives.<br /> <br /> For instance, xe_bo_move() has:<br /> <br /> TP_printk("move_lacks_source:%s, migrate object %p [size %zu] from %s to %s device_id:%s",<br /> __entry-&gt;move_lacks_source ? "yes" : "no", __entry-&gt;bo, __entry-&gt;size,<br /> xe_mem_type_to_name[__entry-&gt;old_placement],<br /> xe_mem_type_to_name[__entry-&gt;new_placement], __get_str(device_id))<br /> <br /> Where the "%s" references into xe_mem_type_to_name[]. This is an array of<br /> pointers that should be safe for the event to access. Instead of flagging<br /> this as a bad reference, if a reference points to an array, where the<br /> record field is the index, consider it safe.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2024-57931
Publication date:
21/01/2025
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> selinux: ignore unknown extended permissions<br /> <br /> When evaluating extended permissions, ignore unknown permissions instead<br /> of calling BUG(). This commit ensures that future permissions can be<br /> added without interfering with older kernels.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2024-52973
Publication date:
21/01/2025
An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted request to /api/log_entries/summary. This can be carried out by users with read access to the Observability-Logs feature in Kibana.
Severity CVSS v4.0: Pending analysis
Last modification:
30/09/2025

CVE-2025-0450
Publication date:
21/01/2025
The Betheme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin&amp;#39;s custom JS functionality in all versions up to, and including, 27.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
05/06/2025

CVE-2024-13230
Publication date:
21/01/2025
The Social Share, Social Login and Social Comments Plugin – Super Socializer plugin for WordPress is vulnerable to Limited SQL Injection via the ‘SuperSocializerKey’ parameter in all versions up to, and including, 7.14 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional values into the already existing query that can be used to extract user metadata from the database.
Severity CVSS v4.0: Pending analysis
Last modification:
05/06/2025

CVE-2024-13444
Publication date:
21/01/2025
The wp-greet plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity CVSS v4.0: Pending analysis
Last modification:
21/01/2025

CVE-2024-37284
Publication date:
21/01/2025
Improper handling of alternate encoding occurs when Elastic Defend on Windows systems attempts to scan a file or process encoded as a multibyte character. This leads to an uncaught exception causing Elastic Defend to crash which in turn will prevent it from quarantining the file and/or killing the process.
Severity CVSS v4.0: Pending analysis
Last modification:
21/01/2025

CVE-2024-43709
Publication date:
21/01/2025
An allocation of resources without limits or throttling in Elasticsearch can lead to an OutOfMemoryError exception resulting in a crash via a specially crafted query using an SQL function.
Severity CVSS v4.0: Pending analysis
Last modification:
21/02/2025

CVE-2024-11226
Publication date:
21/01/2025
The FireCask Like &amp; Share Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the &amp;#39;width&amp;#39; parameter in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
21/01/2025

CVE-2025-23184
Publication date:
21/01/2025
A potential denial of service vulnerability is present in versions of Apache CXF before 3.5.10, 3.6.5 and 4.0.6. In some edge cases, the CachedOutputStream instances may not be closed and, if backed by temporary files, may fill up the file system (it applies to servers and clients).
Severity CVSS v4.0: Pending analysis
Last modification:
15/12/2025

CVE-2024-12005
Publication date:
21/01/2025
The WP-BibTeX plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.1. This is due to missing or incorrect nonce validation on the wp_bibtex_option_page() function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity CVSS v4.0: Pending analysis
Last modification:
31/01/2025
Subscribe to Vulnerabilities