Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-12083

Publication date:

14/01/2025

Path Traversal Vulnerabilities (CWE-22) exist in NJ/NX-series Machine Automation Controllers. An attacker may use these vulnerabilities to perform unauthorized access and to execute unauthorized code remotely to the controller products.

Severity CVSS v4.0: Pending analysis

Last modification:

14/01/2025

CVE-2024-12298

Publication date:

14/01/2025

We found a vulnerability Improper Restriction of XML External Entity Reference (CWE-611) in NB-series NX-Designer. Attackers may be able to abuse this vulnerability to disclose confidential data on a computer.

Severity CVSS v4.0: Pending analysis

Last modification:

14/01/2025

CVE-2024-57615

Publication date:

14/01/2025

An issue in the BATcalcbetween_intern component of MonetDB Server v11.47.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.

Severity CVSS v4.0: Pending analysis

Last modification:

10/04/2025

CVE-2024-57616

Publication date:

14/01/2025

An issue in the vscanf component of MonetDB Server v11.47.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.

Severity CVSS v4.0: Pending analysis

Last modification:

10/04/2025

CVE-2024-56138

Publication date:

13/01/2025

notion-go is a collection of libraries for supporting sign and verify OCI artifacts. Based on Notary Project specifications. This issue was identified during Quarkslab&#39;s audit of the timestamp feature. During the timestamp signature generation, the revocation status of the certificate(s) used to generate the timestamp signature was not verified. During timestamp signature generation, notation-go did not check the revocation status of the certificate chain used by the TSA. This oversight creates a vulnerability that could be exploited through a Man-in-The-Middle attack. An attacker could potentially use a compromised, intermediate, or revoked leaf certificate to generate a malicious countersignature, which would then be accepted and stored by `notation`. This could lead to denial of service scenarios, particularly in CI/CD environments during signature verification processes because timestamp signature would fail due to the presence of a revoked certificate(s) potentially disrupting operations. This issue has been addressed in release version 1.3.0-rc.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

Severity CVSS v4.0: Pending analysis

Last modification:

13/01/2025

CVE-2024-57811

Publication date:

13/01/2025

In Eaton X303 3.5.16 - X303 3.5.17 Build 712, an attacker with network access to a XC-303 PLC can login as root over SSH. The root password is hardcoded in the firmware. NOTE: This vulnerability appears in versions that are no longer supported by Eaton.

Severity CVSS v4.0: Pending analysis

Last modification:

16/01/2025

CVE-2024-56323

Publication date:

13/01/2025

OpenFGA is an authorization/permission engine. IN OpenFGA v1.3.8 to v1.8.2 (Helm chart openfga-0.1.38 to openfga-0.2.19, docker v1.3.8 to v.1.8.2) are vulnerable to authorization bypass under the following conditions: 1. calling Check API or ListObjects with a model that uses [conditions](https://openfga.dev/docs/modeling/conditions), and 2. calling Check API or ListObjects API with [contextual tuples](https://openfga.dev/docs/concepts#what-are-contextual-tuples) that include conditions and 3. OpenFGA is configured with caching enabled (`OPENFGA_CHECK_QUERY_CACHE_ENABLED`). Users are advised to upgrade to v1.8.3. There are no known workarounds for this vulnerability.

Severity CVSS v4.0: MEDIUM

Last modification:

31/12/2025

CVE-2023-42246

Publication date:

13/01/2025

Selesta Visual Access Manager

Severity CVSS v4.0: Pending analysis

Last modification:

17/04/2025

CVE-2023-42247

Publication date:

13/01/2025

Selesta Visual Access Manager

Severity CVSS v4.0: Pending analysis

Last modification:

17/04/2025

CVE-2023-42248

Publication date:

13/01/2025

An issue was discovered in Selesta Visual Access Manager (VAM) prior to 4.42.2. An authenticated attacker can write arbitrary files by manipulating POST parameters of the page "common/vam_Sql.php".

Severity CVSS v4.0: Pending analysis

Last modification:

17/04/2025