Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-30264
Publication date:
04/04/2024
Typebot is an open-source chatbot builder. A reflected cross-site scripting (XSS) in the sign-in page of typebot.io prior to version 2.24.0 may allow an attacker to hijack a user's account. The sign-in page takes the `redirectPath` parameter from the URL. If a user clicks on a link where the `redirectPath` parameter has a javascript scheme, the attacker that crafted the link may be able to execute arbitrary JavaScript with the privileges of the user. Version 2.24.0 contains a patch for this issue.
Severity CVSS v4.0: Pending analysis
Last modification:
30/01/2026

CVE-2023-45288
Publication date:
04/04/2024
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2024-22023
Publication date:
04/04/2024
An XML entity expansion or XEE vulnerability in SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated attacker to send specially crafted XML requests in-order-to temporarily cause resource exhaustion thereby resulting in a limited-time DoS.
Severity CVSS v4.0: Pending analysis
Last modification:
03/10/2024

CVE-2024-22052
Publication date:
04/04/2024
A null pointer dereference vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack
Severity CVSS v4.0: Pending analysis
Last modification:
03/10/2024

CVE-2024-22053
Publication date:
04/04/2024
A heap overflow vulnerability in IPSec component of Ivanti Connect Secure (9.x<br /> 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack or in certain conditions read contents from memory.
Severity CVSS v4.0: Pending analysis
Last modification:
03/10/2024

CVE-2024-24795
Publication date:
04/04/2024
HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack.<br /> <br /> Users are recommended to upgrade to version 2.4.59, which fixes this issue.
Severity CVSS v4.0: Pending analysis
Last modification:
30/06/2025

CVE-2024-29386
Publication date:
04/04/2024
projeqtor up to 11.2.0 was discovered to contain a SQL injection vulnerability via the component /view/criticalResourceExport.php.
Severity CVSS v4.0: Pending analysis
Last modification:
11/04/2025

CVE-2024-29387
Publication date:
04/04/2024
projeqtor up to 11.2.0 was discovered to contain a remote code execution (RCE) vulnerability via the component /view/print.php.
Severity CVSS v4.0: Pending analysis
Last modification:
11/04/2025

CVE-2023-38709
Publication date:
04/04/2024
Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses.<br /> <br /> This issue affects Apache HTTP Server: through 2.4.58.
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2025

CVE-2024-27316
Publication date:
04/04/2024
HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion.
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2025

CVE-2024-30255
Publication date:
04/04/2024
Envoy is a cloud-native, open source edge and service proxy. The HTTP/2 protocol stack in Envoy versions prior to 1.29.3, 1.28.2, 1.27.4, and 1.26.8 are vulnerable to CPU exhaustion due to flood of CONTINUATION frames. Envoy&amp;#39;s HTTP/2 codec allows the client to send an unlimited number of CONTINUATION frames even after exceeding Envoy&amp;#39;s header map limits. This allows an attacker to send a sequence of CONTINUATION frames without the END_HEADERS bit set causing CPU utilization, consuming approximately 1 core per 300Mbit/s of traffic and culminating in denial of service through CPU exhaustion. Users should upgrade to version 1.29.3, 1.28.2, 1.27.4, or 1.26.8 to mitigate the effects of the CONTINUATION flood. As a workaround, disable HTTP/2 protocol for downstream connections.
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2025

CVE-2024-29193
Publication date:
04/04/2024
gotortc is a camera streaming application. Versions 1.8.5 and prior are vulnerable to DOM-based cross-site scripting. The index page (`index.html`) shows the available streams by fetching the API in the client side. Then, it uses `Object.entries` to iterate over the result whose first item (`name`) gets appended using `innerHTML`. In the event of a victim visiting the server in question, their browser will execute the request against the go2rtc instance. After the request, the browser will be redirected to go2rtc, in which the XSS would be executed in the context of go2rtc’s origin. As of time of publication, no patch is available.
Severity CVSS v4.0: Pending analysis
Last modification:
02/09/2025
Subscribe to Vulnerabilities