Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-24300

Publication date:

14/02/2024

4ipnet EAP-767 v3.42.00 is vulnerable to Incorrect Access Control. The device uses the same set of credentials, regardless of how many times a user logs in, the content of the cookie remains unchanged.

Severity CVSS v4.0: Pending analysis

Last modification:

25/03/2025

CVE-2024-24301

Publication date:

14/02/2024

Command Injection vulnerability discovered in 4ipnet EAP-767 device v3.42.00 within the web interface of the device allows attackers with valid credentials to inject arbitrary shell commands to be executed by the device with root privileges.

Severity CVSS v4.0: Pending analysis

Last modification:

25/03/2025

CVE-2023-6138

Publication date:

14/02/2024

A potential security vulnerability has been identified in the system BIOS for certain HP Workstation PCs, which might allow escalation of privilege, arbitrary code execution, or denial of service. HP is releasing mitigation for the potential vulnerability.

Severity CVSS v4.0: Pending analysis

Last modification:

22/12/2025

CVE-2022-48220

Publication date:

14/02/2024

Potential vulnerabilities have been identified in certain HP Desktop PC products using the HP TamperLock feature, which might allow intrusion detection bypass via a physical attack. HP is releasing firmware and guidance to mitigate these potential vulnerabilities.

Severity CVSS v4.0: Pending analysis

Last modification:

09/01/2026

CVE-2022-48219

Publication date:

14/02/2024

Severity CVSS v4.0: Pending analysis

Last modification:

09/01/2026

CVE-2023-48733

Publication date:

14/02/2024

An insecure default to allow UEFI Shell in EDK2 was left enabled in Ubuntu&#39;s EDK2. This allows an OS-resident attacker to bypass Secure Boot.

Severity CVSS v4.0: Pending analysis

Last modification:

26/08/2025

CVE-2023-49721

Publication date:

14/02/2024

An insecure default to allow UEFI Shell in EDK2 was left enabled in LXD. This allows an OS-resident attacker to bypass Secure Boot.

Severity CVSS v4.0: Pending analysis

Last modification:

26/08/2025

CVE-2024-1367

Publication date:

14/02/2024

<br /> A command injection vulnerability exists where an authenticated, remote attacker with administrator privileges on the Security Center application could modify Logging parameters, which could lead to the execution of arbitrary code on the Security Center host. <br /> <br />

Severity CVSS v4.0: Pending analysis

Last modification:

19/11/2024

CVE-2024-1471

Publication date:

14/02/2024

<br /> An HTML injection vulnerability exists where an authenticated, remote attacker with administrator privileges on the Security Center application could modify Repository parameters, which could lead to HTML redirection attacks.

Severity CVSS v4.0: Pending analysis

Last modification:

19/11/2024

CVE-2024-25617

Publication date:

14/02/2024

Squid is an open source caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a Collapse of Data into Unsafe Value bug ,Squid may be vulnerable to a Denial of Service attack against HTTP header parsing. This problem allows a remote client or a remote server to perform Denial of Service when sending oversized headers in HTTP messages. In versions of Squid prior to 6.5 this can be achieved if the request_header_max_size or reply_header_max_size settings are unchanged from the default. In Squid version 6.5 and later, the default setting of these parameters is safe. Squid will emit a critical warning in cache.log if the administrator is setting these parameters to unsafe values. Squid will not at this time prevent these settings from being changed to unsafe values. Users are advised to upgrade to version 6.5. There are no known workarounds for this vulnerability. This issue is also tracked as SQUID-2024:2

Severity CVSS v4.0: Pending analysis

Last modification:

25/06/2025

CVE-2024-25618

Publication date:

14/02/2024

Mastodon is a free, open-source social network server based on ActivityPub. Mastodon allows new identities from configured authentication providers (CAS, SAML, OIDC) to attach to existing local users with the same e-mail address. This results in a possible account takeover if the authentication provider allows changing the e-mail address or multiple authentication providers are configured. When a user logs in through an external authentication provider for the first time, Mastodon checks the e-mail address passed by the provider to find an existing account. However, using the e-mail address alone means that if the authentication provider allows changing the e-mail address of an account, the Mastodon account can immediately be hijacked. All users logging in through external authentication providers are affected. The severity is medium, as it also requires the external authentication provider to misbehave. However, some well-known OIDC providers (like Microsoft Azure) make it very easy to accidentally allow unverified e-mail changes. Moreover, OpenID Connect also allows dynamic client registration. This issue has been addressed in versions 4.2.6, 4.1.14, 4.0.14, and 3.5.18. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Severity CVSS v4.0: Pending analysis

Last modification:

18/12/2024

CVE-2024-25619

Publication date:

14/02/2024

Mastodon is a free, open-source social network server based on ActivityPub. When an OAuth Application is destroyed, the streaming server wasn&#39;t being informed that the Access Tokens had also been destroyed, this could have posed security risks to users by allowing an application to continue listening to streaming after the application had been destroyed. Essentially this comes down to the fact that when Doorkeeper sets up the relationship between Applications and Access Tokens, it uses a `dependent: delete_all` configuration, which means the `after_commit` callback setup on `AccessTokenExtension` didn&#39;t actually fire, since `delete_all` doesn&#39;t trigger ActiveRecord callbacks. To mitigate, we need to add a `before_destroy` callback to `ApplicationExtension` which announces to streaming that all the Application&#39;s Access Tokens are being "killed". Impact should be negligible given the affected application had to be owned by the user. None the less this issue has been addressed in versions 4.2.6, 4.1.14, 4.0.14, and 3.5.18. Users are advised to upgrade. There are no known workaround for this vulnerability.

Severity CVSS v4.0: Pending analysis

Last modification:

18/12/2024

Subscribe to Vulnerabilities