Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-23328
Publication date:
29/02/2024
Dataease is an open source data visualization analysis tool. A deserialization vulnerability exists in the DataEase datasource, which can be exploited to execute arbitrary code. The location of the vulnerability code is `core/core-backend/src/main/java/io/dataease/datasource/type/Mysql.java.` The blacklist of mysql jdbc attacks can be bypassed and attackers can further exploit it for deserialized execution or reading arbitrary files. This vulnerability is patched in 1.18.15 and 2.3.0.
Severity CVSS v4.0: Pending analysis
Last modification:
08/01/2025

CVE-2024-22936
Publication date:
29/02/2024
Cross-site scripting (XSS) vulnerability in Parents & Student Portal in Genesis School Management Systems in Genesis AIMS Student Information Systems v.3053 allows remote attackers to inject arbitrary web script or HTML via the message parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
16/01/2025

CVE-2024-22939
Publication date:
29/02/2024
Cross Site Request Forgery vulnerability in FlyCms v.1.0 allows a remote attacker to execute arbitrary code via the system/article/category_edit component.
Severity CVSS v4.0: Pending analysis
Last modification:
16/01/2025

CVE-2024-23052
Publication date:
29/02/2024
An issue in WuKongOpenSource WukongCRM v.72crm_9.0.1_20191202 allows a remote attacker to execute arbitrary code via the parseObject() function in the fastjson component.
Severity CVSS v4.0: Pending analysis
Last modification:
16/01/2025

CVE-2024-22251
Publication date:
29/02/2024
VMware Workstation and Fusion contain an out-of-bounds read vulnerability in the USB CCID (chip card interface device). A malicious actor with local administrative privileges on a virtual machine may trigger an out-of-bounds read leading to information disclosure.<br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
10/06/2025

CVE-2024-21722
Publication date:
29/02/2024
The MFA management features did not properly terminate existing user sessions when a user&amp;#39;s MFA methods have been modified.
Severity CVSS v4.0: Pending analysis
Last modification:
02/06/2025

CVE-2024-21723
Publication date:
29/02/2024
Inadequate parsing of URLs could result into an open redirect.
Severity CVSS v4.0: Pending analysis
Last modification:
02/06/2025

CVE-2024-21724
Publication date:
29/02/2024
Inadequate input validation for media selection fields lead to XSS vulnerabilities in various extensions.
Severity CVSS v4.0: Pending analysis
Last modification:
27/03/2025

CVE-2024-21725
Publication date:
29/02/2024
Inadequate escaping of mail addresses lead to XSS vulnerabilities in various components.
Severity CVSS v4.0: Pending analysis
Last modification:
02/06/2025

CVE-2024-21726
Publication date:
29/02/2024
Inadequate content filtering leads to XSS vulnerabilities in various components.
Severity CVSS v4.0: Pending analysis
Last modification:
02/06/2025

CVE-2024-20291
Publication date:
29/02/2024
A vulnerability in the access control list (ACL) programming for port channel subinterfaces of Cisco Nexus 3000 and 9000 Series Switches in standalone NX-OS mode could allow an unauthenticated, remote attacker to send traffic that should be blocked through an affected device.<br /> <br /> This vulnerability is due to incorrect hardware programming that occurs when configuration changes are made to port channel member ports. An attacker could exploit this vulnerability by attempting to send traffic through an affected device. A successful exploit could allow the attacker to access network resources that should be protected by an ACL that was applied on port channel subinterfaces.
Severity CVSS v4.0: Pending analysis
Last modification:
30/04/2025

CVE-2024-20294
Publication date:
29/02/2024
A vulnerability in the Link Layer Discovery Protocol (LLDP) feature of Cisco FXOS Software and Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected device.<br /> <br /> This vulnerability is due to improper handling of specific fields in an LLDP frame. An attacker could exploit this vulnerability by sending a crafted LLDP packet to an interface of an affected device and having an authenticated user retrieve LLDP statistics from the affected device through CLI show commands or Simple Network Management Protocol (SNMP) requests. A successful exploit could allow the attacker to cause the LLDP service to crash and stop running on the affected device. In certain situations, the LLDP crash may result in a reload of the affected device.<br /> <br /> Note: LLDP is a Layer 2 link protocol. To exploit this vulnerability, an attacker would need to be directly connected to an interface of an affected device, either physically or logically (for example, through a Layer 2 Tunnel configured to transport the LLDP protocol).
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2025
Subscribe to Vulnerabilities