Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-3779
Publication date:
16/07/2024
Denial of service vulnerability present shortly after product installation or upgrade, potentially allowed an attacker to render ESET’s security product inoperable, provided non-default preconditions were met.
Severity CVSS v4.0: Pending analysis
Last modification:
21/08/2024

CVE-2023-52290
Publication date:
16/07/2024
In streampark-console the list pages(e.g: application pages), users can sort page by field. This sort field is sent from the front-end to the back-end, and the SQL query is generated using this field. However, because this sort field isn&amp;#39;t validated, there is a risk of SQL injection vulnerability. The attacker must successfully log into the system to launch an attack, which may cause data leakage. Since no data will be written, so this is a low-impact vulnerability.<br /> <br /> Mitigation:<br /> <br /> all users should upgrade to 2.1.4, Such parameters will be blocked.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
10/07/2025

CVE-2024-41008
Publication date:
16/07/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amdgpu: change vm-&gt;task_info handling<br /> <br /> This patch changes the handling and lifecycle of vm-&gt;task_info object.<br /> The major changes are:<br /> - vm-&gt;task_info is a dynamically allocated ptr now, and its uasge is<br /> reference counted.<br /> - introducing two new helper funcs for task_info lifecycle management<br /> - amdgpu_vm_get_task_info: reference counts up task_info before<br /> returning this info<br /> - amdgpu_vm_put_task_info: reference counts down task_info<br /> - last put to task_info() frees task_info from the vm.<br /> <br /> This patch also does logistical changes required for existing usage<br /> of vm-&gt;task_info.<br /> <br /> V2: Do not block all the prints when task_info not found (Felix)<br /> <br /> V3: Fixed review comments from Felix<br /> - Fix wrong indentation<br /> - No debug message for -ENOMEM<br /> - Add NULL check for task_info<br /> - Do not duplicate the debug messages (ti vs no ti)<br /> - Get first reference of task_info in vm_init(), put last<br /> in vm_fini()<br /> <br /> V4: Fixed review comments from Felix<br /> - fix double reference increment in create_task_info<br /> - change amdgpu_vm_get_task_info_pasid<br /> - additional changes in amdgpu_gem.c while porting
Severity CVSS v4.0: Pending analysis
Last modification:
07/10/2025

CVE-2024-6559
Publication date:
16/07/2024
The Backup, Restore and Migrate WordPress Sites With the XCloner Plugin plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 4.7.3. This is due the plugin utilizing sabre without preventing direct access to the files. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
Severity CVSS v4.0: Pending analysis
Last modification:
16/07/2024

CVE-2024-4780
Publication date:
16/07/2024
The Image Hover Effects – Elementor Addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘eihe_link’ parameter in all versions up to, and including, 1.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
16/07/2024

CVE-2024-6557
Publication date:
16/07/2024
The SchedulePress – Auto Post &amp; Publish, Auto Social Share, Schedule Posts with Editorial Calendar &amp; Missed Schedule Post Publisher plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 5.1.3. This is due the plugin utilizing the wpdeveloper library and leaving the demo files in place with display_errors on. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
Severity CVSS v4.0: Pending analysis
Last modification:
16/07/2024

CVE-2024-6780
Publication date:
16/07/2024
Improper permission control in the mobile application (com.android.server.telecom) may lead to user information security risks.
Severity CVSS v4.0: Pending analysis
Last modification:
30/10/2024

CVE-2024-40524
Publication date:
15/07/2024
Directory Traversal vulnerability in xmind2testcase v.1.5 allows a remote attacker to execute arbitrary code via the webtool\application.py component.
Severity CVSS v4.0: Pending analysis
Last modification:
01/08/2024

CVE-2024-40632
Publication date:
15/07/2024
Linkerd is an open source, ultralight, security-first service mesh for Kubernetes. In affected versions when the application being run by linkerd is susceptible to SSRF, an attacker could potentially trigger a denial-of-service (DoS) attack by making requests to localhost:4191/shutdown. Linkerd could introduce an optional environment variable to control a token that must be passed as a header. Linkerd should reject shutdown requests that do not include this header. This issue has been addressed in release version edge-24.6.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
16/07/2024

CVE-2024-4143
Publication date:
15/07/2024
A potential security vulnerability has been identified in certain HP PC products using AMI BIOS, which might allow arbitrary code execution. AMI has released firmware updates to mitigate this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
01/08/2024

CVE-2024-4224
Publication date:
15/07/2024
An authenticated stored cross-site scripting (XSS) exists in the TP-Link TL-SG1016DE affecting version TL-SG1016DE(UN) V7.6_1.0.0 Build 20230616, which could allow an adversary to run JavaScript in an administrator&amp;#39;s browser. This issue was fixed in TL-SG1016DE(UN) V7_1.0.1 Build 20240628.
Severity CVSS v4.0: Pending analysis
Last modification:
01/08/2024

CVE-2024-40627
Publication date:
15/07/2024
Fastapi OPA is an opensource fastapi middleware which includes auth flow. HTTP `OPTIONS` requests are always allowed by `OpaMiddleware`, even when they lack authentication, and are passed through directly to the application. `OpaMiddleware` allows all HTTP `OPTIONS` requests without evaluating it against any policy. If an application provides different responses to HTTP `OPTIONS` requests based on an entity existing (such as to indicate whether an entity is writable on a system level), an unauthenticated attacker could discover which entities exist within an application. This issue has been addressed in release version 2.0.1. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
16/07/2024
Subscribe to Vulnerabilities