Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-51512
Publication date:
16/03/2024
Cross Site Request Forgery (CSRF) vulnerability in WBW Product Table by WBW.This issue affects Product Table by WBW: from n/a through 1.8.6.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
27/03/2025

CVE-2023-51407
Publication date:
16/03/2024
Cross-Site Request Forgery (CSRF) vulnerability in Rocket Elements Split Test For Elementor.This issue affects Split Test For Elementor: from n/a through 1.6.9.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
27/02/2025

CVE-2024-28862
Publication date:
16/03/2024
The Ruby One Time Password library (ROTP) is an open source library for generating and validating one time passwords. Affected versions had overly permissive default permissions. Users should patch to version 6.3.0. Users unable to patch may correct file permissions after installation.
Severity CVSS v4.0: Pending analysis
Last modification:
05/12/2025

CVE-2024-2514
Publication date:
15/03/2024
A vulnerability classified as critical was found in MAGESH-K21 Online-College-Event-Hall-Reservation-System 1.0. Affected by this vulnerability is an unknown functionality of the file /login.php. The manipulation of the argument email leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-256951. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: Pending analysis
Last modification:
17/05/2024

CVE-2024-28859
Publication date:
15/03/2024
Symfony1 is a community fork of symfony 1.4 with DIC, form enhancements, latest Swiftmailer, better performance, composer compatible and PHP 8 support. Symfony 1 has a gadget chain due to vulnerable Swift Mailer dependency that would enable an attacker to get remote code execution if a developer unserialize user input in his project. This vulnerability present no direct threat but is a vector that will enable remote code execution if a developper deserialize user untrusted data. Symfony 1 depends on Swift Mailer which is bundled by default in vendor directory in the default installation since 1.3.0. Swift Mailer classes implement some `__destruct()` methods. These methods are called when php destroys the object in memory. However, it is possible to include any object type in `$this-&gt;_keys` to make PHP access to another array/object properties than intended by the developer. In particular, it is possible to abuse the array access which is triggered on foreach($this-&gt;_keys ...) for any class implementing ArrayAccess interface. This may allow an attacker to execute any PHP command which leads to remote code execution. This issue has been addressed in version 1.5.18. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
05/12/2025

CVE-2024-23298
Publication date:
15/03/2024
A logic issue was addressed with improved state management.
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2025

CVE-2021-47119
Publication date:
15/03/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: fix memory leak in ext4_fill_super<br /> <br /> Buffer head references must be released before calling kill_bdev();<br /> otherwise the buffer head (and its page referenced by b_data) will not<br /> be freed by kill_bdev, and subsequently that bh will be leaked.<br /> <br /> If blocksizes differ, sb_set_blocksize() will kill current buffers and<br /> page cache by using kill_bdev(). And then super block will be reread<br /> again but using correct blocksize this time. sb_set_blocksize() didn&amp;#39;t<br /> fully free superblock page and buffer head, and being busy, they were<br /> not freed and instead leaked.<br /> <br /> This can easily be reproduced by calling an infinite loop of:<br /> <br /> systemctl start .mount, and<br /> systemctl stop .mount<br /> <br /> ... since systemd creates a cgroup for each slice which it mounts, and<br /> the bh leak get amplified by a dying memory cgroup that also never<br /> gets freed, and memory consumption is much more easily noticed.
Severity CVSS v4.0: Pending analysis
Last modification:
07/01/2025

CVE-2021-47120
Publication date:
15/03/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> HID: magicmouse: fix NULL-deref on disconnect<br /> <br /> Commit 9d7b18668956 ("HID: magicmouse: add support for Apple Magic<br /> Trackpad 2") added a sanity check for an Apple trackpad but returned<br /> success instead of -ENODEV when the check failed. This means that the<br /> remove callback will dereference the never-initialised driver data<br /> pointer when the driver is later unbound (e.g. on USB disconnect).
Severity CVSS v4.0: Pending analysis
Last modification:
07/01/2025

CVE-2021-47121
Publication date:
15/03/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: caif: fix memory leak in cfusbl_device_notify<br /> <br /> In case of caif_enroll_dev() fail, allocated<br /> link_support won&amp;#39;t be assigned to the corresponding<br /> structure. So simply free allocated pointer in case<br /> of error.
Severity CVSS v4.0: Pending analysis
Last modification:
07/01/2025

CVE-2021-47122
Publication date:
15/03/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: caif: fix memory leak in caif_device_notify<br /> <br /> In case of caif_enroll_dev() fail, allocated<br /> link_support won&amp;#39;t be assigned to the corresponding<br /> structure. So simply free allocated pointer in case<br /> of error
Severity CVSS v4.0: Pending analysis
Last modification:
07/01/2025

CVE-2021-47123
Publication date:
15/03/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> io_uring: fix ltout double free on completion race<br /> <br /> Always remove linked timeout on io_link_timeout_fn() from the master<br /> request link list, otherwise we may get use-after-free when first<br /> io_link_timeout_fn() puts linked timeout in the fail path, and then<br /> will be found and put on master&amp;#39;s free.
Severity CVSS v4.0: Pending analysis
Last modification:
14/01/2025

CVE-2021-47124
Publication date:
15/03/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> io_uring: fix link timeout refs<br /> <br /> WARNING: CPU: 0 PID: 10242 at lib/refcount.c:28 refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28<br /> RIP: 0010:refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28<br /> Call Trace:<br /> __refcount_sub_and_test include/linux/refcount.h:283 [inline]<br /> __refcount_dec_and_test include/linux/refcount.h:315 [inline]<br /> refcount_dec_and_test include/linux/refcount.h:333 [inline]<br /> io_put_req fs/io_uring.c:2140 [inline]<br /> io_queue_linked_timeout fs/io_uring.c:6300 [inline]<br /> __io_queue_sqe+0xbef/0xec0 fs/io_uring.c:6354<br /> io_submit_sqe fs/io_uring.c:6534 [inline]<br /> io_submit_sqes+0x2bbd/0x7c50 fs/io_uring.c:6660<br /> __do_sys_io_uring_enter fs/io_uring.c:9240 [inline]<br /> __se_sys_io_uring_enter+0x256/0x1d60 fs/io_uring.c:9182<br /> <br /> io_link_timeout_fn() should put only one reference of the linked timeout<br /> request, however in case of racing with the master request&amp;#39;s completion<br /> first io_req_complete() puts one and then io_put_req_deferred() is<br /> called.
Severity CVSS v4.0: Pending analysis
Last modification:
13/03/2025
Subscribe to Vulnerabilities