Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-46904
Publication date:
26/02/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: hso: fix null-ptr-deref during tty device unregistration<br /> <br /> Multiple ttys try to claim the same the minor number causing a double<br /> unregistration of the same device. The first unregistration succeeds<br /> but the next one results in a null-ptr-deref.<br /> <br /> The get_free_serial_index() function returns an available minor number<br /> but doesn&amp;#39;t assign it immediately. The assignment is done by the caller<br /> later. But before this assignment, calls to get_free_serial_index()<br /> would return the same minor number.<br /> <br /> Fix this by modifying get_free_serial_index to assign the minor number<br /> immediately after one is found to be and rename it to obtain_minor()<br /> to better reflect what it does. Similary, rename set_serial_by_index()<br /> to release_minor() and modify it to free up the minor number of the<br /> given hso_serial. Every obtain_minor() should have corresponding<br /> release_minor() call.
Severity CVSS v4.0: Pending analysis
Last modification:
17/04/2024

CVE-2021-46905
Publication date:
26/02/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: hso: fix NULL-deref on disconnect regression<br /> <br /> Commit 8a12f8836145 ("net: hso: fix null-ptr-deref during tty device<br /> unregistration") fixed the racy minor allocation reported by syzbot, but<br /> introduced an unconditional NULL-pointer dereference on every disconnect<br /> instead.<br /> <br /> Specifically, the serial device table must no longer be accessed after<br /> the minor has been released by hso_serial_tty_unregister().
Severity CVSS v4.0: Pending analysis
Last modification:
17/04/2024

CVE-2022-34357
Publication date:
26/02/2024
IBM Cognos Analytics Mobile Server 11.1.7, 11.2.4, and 12.0.0 is vulnerable to Denial of Service due to due to weak or absence of rate limiting. By making unlimited http requests, it is possible for a single user to exhaust server resources over a period of time making service unavailable for other legitimate users. IBM X-Force ID: 230510.
Severity CVSS v4.0: Pending analysis
Last modification:
17/12/2024

CVE-2022-48626
Publication date:
26/02/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> moxart: fix potential use-after-free on remove path<br /> <br /> It was reported that the mmc host structure could be accessed after it<br /> was freed in moxart_remove(), so fix this by saving the base register of<br /> the device and using it instead of the pointer dereference.
Severity CVSS v4.0: Pending analysis
Last modification:
27/08/2024

CVE-2024-21501
Publication date:
24/02/2024
Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system (including project dependencies). An attacker could exploit this vulnerability to gather details about the file system structure and dependencies of the targeted server.
Severity CVSS v4.0: Pending analysis
Last modification:
25/04/2025

CVE-2024-21502
Publication date:
24/02/2024
Versions of the package fastecdsa before 2.3.2 are vulnerable to Use of Uninitialized Variable on the stack, via the curvemath_mul function in src/curveMath.c, due to being used and interpreted as user-defined type. Depending on the variable&amp;#39;s actual value it could be arbitrary free(), arbitrary realloc(), null pointer dereference and other. Since the stack can be controlled by the attacker, the vulnerability could be used to corrupt allocator structure, leading to possible heap exploitation. The attacker could cause denial of service by exploiting this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
12/02/2025

CVE-2024-1810
Publication date:
24/02/2024
The Archivist – Custom Archive Templates plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘shortcode_attributes&amp;#39; parameter in all versions up to, and including, 1.7.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity CVSS v4.0: Pending analysis
Last modification:
05/02/2025

CVE-2024-22395
Publication date:
24/02/2024
Improper access control vulnerability has been identified in the SMA100 SSL-VPN virtual office portal, which in specific conditions could potentially enable a remote authenticated attacker to associate another user&amp;#39;s MFA mobile application.
Severity CVSS v4.0: Pending analysis
Last modification:
05/12/2024

CVE-2024-22988
Publication date:
23/02/2024
ZKteco ZKBio WDMS before 9.0.2 Build 20250526 allows an attacker to download a database backup via the /files/backup/ component because the filename is based on a predictable timestamp.
Severity CVSS v4.0: Pending analysis
Last modification:
07/06/2025

CVE-2024-25469
Publication date:
23/02/2024
SQL Injection vulnerability in CRMEB crmeb_java v.1.3.4 and before allows a remote attacker to obtain sensitive information via the latitude and longitude parameters in the api/front/store/list component.
Severity CVSS v4.0: Pending analysis
Last modification:
25/04/2025

CVE-2024-26188
Publication date:
23/02/2024
Microsoft Edge (Chromium-based) Spoofing Vulnerability
Severity CVSS v4.0: Pending analysis
Last modification:
29/11/2024

CVE-2024-26192
Publication date:
23/02/2024
Microsoft Edge (Chromium-based) Information Disclosure Vulnerability
Severity CVSS v4.0: Pending analysis
Last modification:
29/11/2024
Subscribe to Vulnerabilities