Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-24697
Publication date:
14/02/2024
Untrusted search path in some Zoom 32 bit Windows clients may allow an authenticated user to conduct an escalation of privilege via local access.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2024

CVE-2024-24698
Publication date:
14/02/2024
Improper authentication in some Zoom clients may allow a privileged user to conduct a disclosure of information via local access.
Severity CVSS v4.0: Pending analysis
Last modification:
04/10/2024

CVE-2024-1485
Publication date:
14/02/2024
A flaw was found in the decompression function of registry-support. This issue can be triggered if an unauthenticated remote attacker tricks a user into parsing a devfile which uses the `parent` or `plugin` keywords. This could download a malicious archive and cause the cleanup process to overwrite or delete files outside of the archive, which should not be allowed.
Severity CVSS v4.0: Pending analysis
Last modification:
24/03/2026

CVE-2024-25121
Publication date:
13/02/2024
TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions of TYPO3 entities of the File Abstraction Layer (FAL) could be persisted directly via `DataHandler`. This allowed attackers to reference files in the fallback storage directly and retrieve their file names and contents. The fallback storage ("zero-storage") is used as a backward compatibility layer for files located outside properly configured file storages and within the public web root directory. Exploiting this vulnerability requires a valid backend user account. Users are advised to update to TYPO3 version 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, or 13.0.1 which fix the problem described. When persisting entities of the File Abstraction Layer directly via DataHandler, `sys_file` entities are now denied by default, and `sys_file_reference` &amp; `sys_file_metadata` entities are not permitted to reference files in the fallback storage anymore. When importing data from secure origins, this must be explicitly enabled in the corresponding DataHandler instance by using `$dataHandler-&gt;isImporting = true;`.<br /> <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
16/10/2024

CVE-2023-38960
Publication date:
13/02/2024
Insecure Permissions issue in Raiden Professional Server RaidenFTPD v.2.4 build 4005 allows a local attacker to gain privileges and execute arbitrary code via crafted executable running from the installation directory.
Severity CVSS v4.0: Pending analysis
Last modification:
07/05/2025

CVE-2024-25118
Publication date:
13/02/2024
TYPO3 is an open source PHP based web content management system released under the GNU GPL. Password hashes were being reflected in the editing forms of the TYPO3 backend user interface. This allowed attackers to crack the plaintext password using brute force techniques. Exploiting this vulnerability requires a valid backend user account. Users are advised to update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described. There are no known workarounds for this issue.
Severity CVSS v4.0: Pending analysis
Last modification:
16/10/2024

CVE-2024-25119
Publication date:
13/02/2024
TYPO3 is an open source PHP based web content management system released under the GNU GPL. The plaintext value of `$GLOBALS[&amp;#39;SYS&amp;#39;][&amp;#39;encryptionKey&amp;#39;]` was displayed in the editing forms of the TYPO3 Install Tool user interface. This allowed attackers to utilize the value to generate cryptographic hashes used for verifying the authenticity of HTTP request parameters. Exploiting this vulnerability requires an administrator-level backend user account with system maintainer permissions. Users are advised to update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described. There are no known workarounds for this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
16/10/2024

CVE-2024-25120
Publication date:
13/02/2024
TYPO3 is an open source PHP based web content management system released under the GNU GPL. The TYPO3-specific `t3://` URI scheme could be used to access resources outside of the users&amp;#39; permission scope. This encompassed files, folders, pages, and records (although only if a valid link-handling configuration was provided). Exploiting this vulnerability requires a valid backend user account. Users are advised to update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described. There are no known workarounds for this issue.
Severity CVSS v4.0: Pending analysis
Last modification:
16/10/2024

CVE-2023-6152
Publication date:
13/02/2024
A user changing their email after signing up and verifying it can change it without verification in profile settings.<br /> <br /> The configuration option "verify_email_enabled" will only validate email only on sign up.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
15/02/2025

CVE-2024-24142
Publication date:
13/02/2024
Sourcecodester School Task Manager 1.0 allows SQL Injection via the &amp;#39;subject&amp;#39; parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
09/05/2025

CVE-2023-20579
Publication date:
13/02/2024
Improper<br /> Access Control in the AMD SPI protection feature may allow a user with Ring0<br /> (kernel mode) privileged access to bypass protections potentially resulting in<br /> loss of integrity and availability.<br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
14/03/2025

CVE-2023-31346
Publication date:
13/02/2024
Failure to initialize<br /> memory in SEV Firmware may allow a privileged attacker to access stale data<br /> from other guests.<br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
20/03/2025
Subscribe to Vulnerabilities