Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-23084
Publication date:
15/02/2024
The total size of the user-provided nmreq to nmreq_copyin() was first computed and then trusted during the copyin. This time-of-check to time-of-use bug could lead to kernel memory corruption.<br /> <br /> On systems configured to include netmap in their devfs_ruleset, a privileged process running in a jail can affect the host environment.
Severity CVSS v4.0: Pending analysis
Last modification:
09/12/2024

CVE-2024-26261
Publication date:
15/02/2024
The functionality for file download in HGiga OAKlouds&amp;#39; certain modules contains an Arbitrary File Read and Delete vulnerability. Attackers can put file path in specific request parameters, allowing them to download the file without login. Furthermore, the file will be deleted after being downloaded.
Severity CVSS v4.0: Pending analysis
Last modification:
23/01/2025

CVE-2024-26262
Publication date:
15/02/2024
EBM Technologies Uniweb/SoliPACS WebServer&amp;#39;s query functionality lacks proper restrictions of user input, allowing remote attackers authenticated as regular user to inject SQL commands for reading, modifying, and deleting database records, as well as executing system commands. Attackers may even leverage the dbo privilege in the database for privilege escalation, elevating their privileges to administrator .
Severity CVSS v4.0: Pending analysis
Last modification:
23/01/2025

CVE-2024-26263
Publication date:
15/02/2024
EBM Technologies RISWEB&amp;#39;s specific URL path is not properly controlled by permission, allowing attackers to browse specific pages and query sensitive data without login.
Severity CVSS v4.0: Pending analysis
Last modification:
23/01/2025

CVE-2024-26264
Publication date:
15/02/2024
EBM Technologies RISWEB&amp;#39;s specific query function parameter does not properly restrict user input, and this feature page is accessible without login. This allows remote attackers to inject SQL commands without authentication, enabling them to read, modify, and delete database records.
Severity CVSS v4.0: Pending analysis
Last modification:
23/01/2025

CVE-2024-26260
Publication date:
15/02/2024
The functionality for synchronization in HGiga OAKlouds&amp;#39; certain moudules has an OS Command Injection vulnerability, allowing remote attackers to inject system commands within specific request parameters. This enables the execution of arbitrary code on the remote server without permission.
Severity CVSS v4.0: Pending analysis
Last modification:
23/01/2025

CVE-2024-1523
Publication date:
15/02/2024
EC-WEB FS-EZViewer(Web)&amp;#39;s query functionality lacks proper restrictions of user input, allowing remote attackers authenticated as regular user to inject SQL commands for reading, modifying, and deleting database records, as well as executing system commands. Attackers may even leverage the dbo privilege in the database for privilege escalation, elevating their privileges to administrator.
Severity CVSS v4.0: Pending analysis
Last modification:
23/01/2025

CVE-2024-25620
Publication date:
15/02/2024
Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. When either the Helm client or SDK is used to save a chart whose name within the `Chart.yaml` file includes a relative path change, the chart would be saved outside its expected directory based on the changes in the relative path. The validation and linting did not detect the path changes in the name. This issue has been resolved in Helm v3.14.1. Users unable to upgrade should check all charts used by Helm for path changes in their name as found in the `Chart.yaml` file. This includes dependencies.
Severity CVSS v4.0: Pending analysis
Last modification:
09/01/2025

CVE-2024-24300
Publication date:
14/02/2024
4ipnet EAP-767 v3.42.00 is vulnerable to Incorrect Access Control. The device uses the same set of credentials, regardless of how many times a user logs in, the content of the cookie remains unchanged.
Severity CVSS v4.0: Pending analysis
Last modification:
25/03/2025

CVE-2024-24301
Publication date:
14/02/2024
Command Injection vulnerability discovered in 4ipnet EAP-767 device v3.42.00 within the web interface of the device allows attackers with valid credentials to inject arbitrary shell commands to be executed by the device with root privileges.
Severity CVSS v4.0: Pending analysis
Last modification:
25/03/2025

CVE-2023-6138
Publication date:
14/02/2024
A potential security vulnerability has been identified in the system BIOS for certain HP Workstation PCs, which might allow escalation of privilege, arbitrary code execution, or denial of service. HP is releasing mitigation for the potential vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
22/12/2025

CVE-2022-48220
Publication date:
14/02/2024
Potential vulnerabilities have been identified in certain HP Desktop PC products using the HP TamperLock feature, which might allow intrusion detection bypass via a physical attack. HP is releasing firmware and guidance to mitigate these potential vulnerabilities.
Severity CVSS v4.0: Pending analysis
Last modification:
09/01/2026
Subscribe to Vulnerabilities