Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-42480
Publication date:
12/08/2024
Kamaji is the Hosted Control Plane Manager for Kubernetes. In versions 1.0.0 and earlier, Kamaji uses an "open at the top" range definition in RBAC for etcd roles leading to some TCPs API servers being able to read, write, and delete the data of other control planes. This vulnerability is fixed in edge-24.8.2.
Severity CVSS v4.0: Pending analysis
Last modification:
16/08/2024

CVE-2024-42481
Publication date:
12/08/2024
Skyport Daemon (skyportd) is the daemon for the Skyport Panel. By making thousands of folders & files (easy due to skyport's lack of rate limiting on createFolder. createFile), skyportd in a lot of cases will cause 100% CPU usage and an OOM, probably crashing the system. This is fixed in 0.2.2.
Severity CVSS v4.0: Pending analysis
Last modification:
16/09/2024

CVE-2023-7249
Publication date:
12/08/2024
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in OpenText OpenText Directory Services allows Path Traversal.This issue affects OpenText Directory Services: from 16.4.2 before 24.1.
Severity CVSS v4.0: Pending analysis
Last modification:
13/08/2024

CVE-2024-42477
Publication date:
12/08/2024
llama.cpp provides LLM inference in C/C++. The unsafe `type` member in the `rpc_tensor` structure can cause `global-buffer-overflow`. This vulnerability may lead to memory data leakage. The vulnerability is fixed in b3561.
Severity CVSS v4.0: Pending analysis
Last modification:
15/08/2024

CVE-2024-42478
Publication date:
12/08/2024
llama.cpp provides LLM inference in C/C++. The unsafe `data` pointer member in the `rpc_tensor` structure can cause arbitrary address reading. This vulnerability is fixed in b3561.
Severity CVSS v4.0: Pending analysis
Last modification:
15/08/2024

CVE-2024-42479
Publication date:
12/08/2024
llama.cpp provides LLM inference in C/C++. The unsafe `data` pointer member in the `rpc_tensor` structure can cause arbitrary address writing. This vulnerability is fixed in b3561.
Severity CVSS v4.0: Pending analysis
Last modification:
15/08/2024

CVE-2024-42520
Publication date:
12/08/2024
TOTOLINK A3002R v4.0.0-B20230531.1404 contains a buffer overflow vulnerability in /bin/boa via formParentControl.
Severity CVSS v4.0: Pending analysis
Last modification:
13/08/2024

CVE-2024-6917
Publication date:
12/08/2024
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Veribilim Software Veribase Order Management allows OS Command Injection.This issue affects Veribase Order Management: before v4.010.2.
Severity CVSS v4.0: Pending analysis
Last modification:
13/08/2024

CVE-2024-27443
Publication date:
12/08/2024
An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. A Cross-Site Scripting (XSS) vulnerability exists in the CalendarInvite feature of the Zimbra webmail classic user interface, because of improper input validation in the handling of the calendar header. An attacker can exploit this via an email message containing a crafted calendar header with an embedded XSS payload. When a victim views this message in the Zimbra webmail classic interface, the payload is executed in the context of the victim's session, potentially leading to execution of arbitrary JavaScript code.
Severity CVSS v4.0: Pending analysis
Last modification:
31/10/2025

CVE-2024-27442
Publication date:
12/08/2024
An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. The zmmailboxdmgr binary, a component of ZCS, is intended to be executed by the zimbra user with root privileges for specific mailbox operations. However, an attacker can escalate privileges from the zimbra user to root, because of improper handling of input arguments. An attacker can execute arbitrary commands with elevated privileges, leading to local privilege escalation.
Severity CVSS v4.0: Pending analysis
Last modification:
13/08/2024

CVE-2024-33533
Publication date:
12/08/2024
An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0, issue 1 of 2. A reflected cross-site scripting (XSS) vulnerability has been identified in the Zimbra webmail admin interface. This vulnerability occurs due to inadequate input validation of the packages parameter, allowing an authenticated attacker to inject and execute arbitrary JavaScript code within the context of another user's browser session. By uploading a malicious JavaScript file and crafting a URL containing its location in the packages parameter, the attacker can exploit this vulnerability. Subsequently, when another user visits the crafted URL, the malicious JavaScript code is executed.
Severity CVSS v4.0: Pending analysis
Last modification:
13/03/2025

CVE-2024-33535
Publication date:
12/08/2024
An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. The vulnerability involves unauthenticated local file inclusion (LFI) in a web application, specifically impacting the handling of the packages parameter. Attackers can exploit this flaw to include arbitrary local files without authentication, potentially leading to unauthorized access to sensitive information. The vulnerability is limited to files within a specific directory.
Severity CVSS v4.0: Pending analysis
Last modification:
19/03/2025
Subscribe to Vulnerabilities