Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-56709
Publication date:
29/12/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> io_uring: check if iowq is killed before queuing<br /> <br /> task work can be executed after the task has gone through io_uring<br /> termination, whether it&amp;#39;s the final task_work run or the fallback path.<br /> In this case, task work will find -&gt;io_wq being already killed and<br /> null&amp;#39;ed, which is a problem if it then tries to forward the request to<br /> io_queue_iowq(). Make io_queue_iowq() fail requests in this case.<br /> <br /> Note that it also checks PF_KTHREAD, because the user can first close<br /> a DEFER_TASKRUN ring and shortly after kill the task, in which case<br /> -&gt;iowq check would race.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2024-56710
Publication date:
29/12/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ceph: fix memory leak in ceph_direct_read_write()<br /> <br /> The bvecs array which is allocated in iter_get_bvecs_alloc() is leaked<br /> and pages remain pinned if ceph_alloc_sparse_ext_map() fails.<br /> <br /> There is no need to delay the allocation of sparse_ext map until after<br /> the bvecs array is set up, so fix this by moving sparse_ext allocation<br /> a bit earlier. Also, make a similar adjustment in __ceph_sync_read()<br /> for consistency (a leak of the same kind in __ceph_sync_read() has been<br /> addressed differently).
Severity CVSS v4.0: Pending analysis
Last modification:
17/04/2025

CVE-2024-13006
Publication date:
29/12/2024
A vulnerability, which was classified as critical, has been found in 1000 Projects Human Resource Management System 1.0. This issue affects some unknown processing of the file /employeeview.php. The manipulation of the argument search leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
29/12/2024

CVE-2024-13005
Publication date:
29/12/2024
A vulnerability classified as critical was found in 1000 Projects Attendance Tracking Management System 1.0. This vulnerability affects unknown code of the file /admin/attendance_action.php. The manipulation of the argument attendance_id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
05/03/2025

CVE-2024-56737
Publication date:
29/12/2024
GNU GRUB (aka GRUB2) through 2.12 has a heap-based buffer overflow in fs/hfs.c via crafted sblock data in an HFS filesystem.
Severity CVSS v4.0: Pending analysis
Last modification:
24/06/2025

CVE-2024-56738
Publication date:
29/12/2024
GNU GRUB (aka GRUB2) through 2.12 does not use a constant-time algorithm for grub_crypto_memcmp and thus allows side-channel attacks.
Severity CVSS v4.0: Pending analysis
Last modification:
24/06/2025

CVE-2018-25107
Publication date:
29/12/2024
The Crypt::Random::Source package before 0.13 for Perl has a fallback to the built-in rand() function, which is not a secure source of random bits.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2024-13004
Publication date:
29/12/2024
A vulnerability classified as critical has been found in PHPGurukul Complaint Management System 1.0. This affects an unknown part of the file /admin/category.php. The manipulation of the argument state leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
29/12/2024

CVE-2024-12238
Publication date:
29/12/2024
The The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.8.22. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes.
Severity CVSS v4.0: Pending analysis
Last modification:
18/04/2025

CVE-2024-13003
Publication date:
29/12/2024
A vulnerability was found in 1000 Projects Portfolio Management System MCA 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /update_ed.php. The manipulation of the argument e_id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
22/04/2025

CVE-2024-13002
Publication date:
29/12/2024
A vulnerability was found in 1000 Projects Bookstore Management System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /order_process.php. The manipulation of the argument fnm leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
22/04/2025

CVE-2024-13001
Publication date:
29/12/2024
A vulnerability was found in PHPGurukul Small CRM 1.0. It has been classified as critical. Affected is an unknown function of the file /admin/index.php. The manipulation of the argument email leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
03/04/2025
Subscribe to Vulnerabilities