Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-52652
Publication date:
01/05/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> NTB: fix possible name leak in ntb_register_device()<br /> <br /> If device_register() fails in ntb_register_device(), the device name<br /> allocated by dev_set_name() should be freed. As per the comment in<br /> device_register(), callers should use put_device() to give up the<br /> reference in the error path. So fix this by calling put_device() in the<br /> error path so that the name can be freed in kobject_cleanup().<br /> <br /> As a result of this, put_device() in the error path of<br /> ntb_register_device() is removed and the actual error is returned.<br /> <br /> [mani: reworded commit message]
Severity CVSS v4.0: Pending analysis
Last modification:
18/09/2025

CVE-2023-52653
Publication date:
01/05/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> SUNRPC: fix a memleak in gss_import_v2_context<br /> <br /> The ctx-&gt;mech_used.data allocated by kmemdup is not freed in neither<br /> gss_import_v2_context nor it only caller gss_krb5_import_sec_context,<br /> which frees ctx on error.<br /> <br /> Thus, this patch reform the last call of gss_import_v2_context to the<br /> gss_krb5_import_ctx_v2, preventing the memleak while keepping the return<br /> formation.
Severity CVSS v4.0: Pending analysis
Last modification:
08/04/2025

CVE-2024-0334
Publication date:
01/05/2024
The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom attribute of a link in several Elementor widgets in all versions up to, and including, 2.6.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
15/01/2025

CVE-2024-23597
Publication date:
01/05/2024
Cross-site request forgery (CSRF) vulnerability exists in TvRock 0.9t8a. If a logged-in user of TVRock accesses a specially crafted page, unintended operations may be performed. Note that the developer was unreachable, therefore, users should consider stop using TvRock 0.9t8a.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2024

CVE-2024-24978
Publication date:
01/05/2024
Denial-of-service (DoS) vulnerability exists in TvRock 0.9t8a. Receiving a specially crafted request by a remote attacker or having a user of TvRock click a specially crafted request may lead to ABEND (abnormal end). Note that the developer was unreachable, therefore, users should consider stop using TvRock 0.9t8a.
Severity CVSS v4.0: Pending analysis
Last modification:
01/11/2024

CVE-2024-27023
Publication date:
01/05/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> md: Fix missing release of &amp;#39;active_io&amp;#39; for flush<br /> <br /> submit_flushes<br /> atomic_set(&amp;mddev-&gt;flush_pending, 1);<br /> rdev_for_each_rcu(rdev, mddev)<br /> atomic_inc(&amp;mddev-&gt;flush_pending);<br /> bi-&gt;bi_end_io = md_end_flush<br /> submit_bio(bi);<br /> /* flush io is done first */<br /> md_end_flush<br /> if (atomic_dec_and_test(&amp;mddev-&gt;flush_pending))<br /> percpu_ref_put(&amp;mddev-&gt;active_io)<br /> -&gt; active_io is not released<br /> <br /> if (atomic_dec_and_test(&amp;mddev-&gt;flush_pending))<br /> -&gt; missing release of active_io<br /> <br /> For consequence, mddev_suspend() will wait for &amp;#39;active_io&amp;#39; to be zero<br /> forever.<br /> <br /> Fix this problem by releasing &amp;#39;active_io&amp;#39; in submit_flushes() if<br /> &amp;#39;flush_pending&amp;#39; is decreased to zero.
Severity CVSS v4.0: Pending analysis
Last modification:
18/09/2025

CVE-2024-27024
Publication date:
01/05/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/rds: fix WARNING in rds_conn_connect_if_down<br /> <br /> If connection isn&amp;#39;t established yet, get_mr() will fail, trigger connection after<br /> get_mr().
Severity CVSS v4.0: Pending analysis
Last modification:
23/12/2024

CVE-2024-27025
Publication date:
01/05/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nbd: null check for nla_nest_start<br /> <br /> nla_nest_start() may fail and return NULL. Insert a check and set errno<br /> based on other call sites within the same source code.
Severity CVSS v4.0: Pending analysis
Last modification:
23/12/2024

CVE-2024-27026
Publication date:
01/05/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> vmxnet3: Fix missing reserved tailroom<br /> <br /> Use rbi-&gt;len instead of rcd-&gt;len for non-dataring packet.<br /> <br /> Found issue:<br /> XDP_WARN: xdp_update_frame_from_buff(line:278): Driver BUG: missing reserved tailroom<br /> WARNING: CPU: 0 PID: 0 at net/core/xdp.c:586 xdp_warn+0xf/0x20<br /> CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W O 6.5.1 #1<br /> RIP: 0010:xdp_warn+0xf/0x20<br /> ...<br /> ? xdp_warn+0xf/0x20<br /> xdp_do_redirect+0x15f/0x1c0<br /> vmxnet3_run_xdp+0x17a/0x400 [vmxnet3]<br /> vmxnet3_process_xdp+0xe4/0x760 [vmxnet3]<br /> ? vmxnet3_tq_tx_complete.isra.0+0x21e/0x2c0 [vmxnet3]<br /> vmxnet3_rq_rx_complete+0x7ad/0x1120 [vmxnet3]<br /> vmxnet3_poll_rx_only+0x2d/0xa0 [vmxnet3]<br /> __napi_poll+0x20/0x180<br /> net_rx_action+0x177/0x390
Severity CVSS v4.0: Pending analysis
Last modification:
05/03/2025

CVE-2024-27027
Publication date:
01/05/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dpll: fix dpll_xa_ref_*_del() for multiple registrations<br /> <br /> Currently, if there are multiple registrations of the same pin on the<br /> same dpll device, following warnings are observed:<br /> WARNING: CPU: 5 PID: 2212 at drivers/dpll/dpll_core.c:143 dpll_xa_ref_pin_del.isra.0+0x21e/0x230<br /> WARNING: CPU: 5 PID: 2212 at drivers/dpll/dpll_core.c:223 __dpll_pin_unregister+0x2b3/0x2c0<br /> <br /> The problem is, that in both dpll_xa_ref_dpll_del() and<br /> dpll_xa_ref_pin_del() registration is only removed from list in case the<br /> reference count drops to zero. That is wrong, the registration has to<br /> be removed always.<br /> <br /> To fix this, remove the registration from the list and free<br /> it unconditionally, instead of doing it only when the ref reference<br /> counter reaches zero.
Severity CVSS v4.0: Pending analysis
Last modification:
18/09/2025

CVE-2022-38386
Publication date:
01/05/2024
IBM Cloud Pak for Security (CP4S) 1.10.0.0 through 1.10.11.0 and IBM QRadar Suite for Software 1.10.12.0 through 1.10.19.0 does not set the SameSite attribute for sensitive cookies which could allow an attacker to obtain sensitive information using man-in-the-middle techniques. IBM X-Force ID: 233778.
Severity CVSS v4.0: Pending analysis
Last modification:
13/08/2025

CVE-2024-32979
Publication date:
01/05/2024
Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. It was discovered that due to improper handling and escaping of user-provided query parameters, a maliciously crafted Nautobot URL could potentially be used to execute a Reflected Cross-Site Scripting (Reflected XSS) attack against users. All filterable object-list views in Nautobot are vulnerable. This issue has been fixed in Nautobot versions 1.6.20 and 2.2.3. There are no known workarounds for this vulnerability.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2025
Subscribe to Vulnerabilities