Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-31213
Publication date:
05/04/2024
InstantCMS is a free and open source content management system. An open redirect was found in the ICMS2 application version 2.16.2 when being redirected after modifying one's own user profile. An attacker could trick a victim into visiting their web application, thinking they are still present on the ICMS2 application. They could then host a website stating "To update your profile, please enter your password," upon which the user may type their password and send it to the attacker. As of time of publication, a patched version is not available.
Severity CVSS v4.0: Pending analysis
Last modification:
17/01/2025

CVE-2024-31218
Publication date:
05/04/2024
Webhood is a self-hosted URL scanner used analyzing phishing and malicious sites. Webhood's backend container images in versions 0.9.0 and earlier are subject to Missing Authentication for Critical Function vulnerability. This vulnerability allows an unauthenticated attacker to send a HTTP request to the database (Pocketbase) admin API to create an admin account. The Pocketbase admin API does not check for authentication/authorization when creating an admin account when no admin accounts have been added. In its default deployment, Webhood does not create a database admin account. Therefore, unless users have manually created an admin account in the database, an admin account will not exist in the deployment and the deployment is vulnerable. Versions starting from 0.9.1 are patched. The patch creates a randomly generated admin account if admin accounts have not already been created i.e. the vulnerability is exploitable in the deployment. As a workaround, users can disable access to URL path starting with `/api/admins` entirely. With this workaround, the vulnerability is not exploitable via network.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2023-49965
Publication date:
05/04/2024
SpaceX Starlink Wi-Fi router Gen 2 before 2023.48.0 allows XSS via the ssid and password parameters on the Setup Page.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2024-2499
Publication date:
05/04/2024
The Squelch Tabs and Accordions Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'accordions' shortcode in all versions up to, and including, 0.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2024-2380
Publication date:
05/04/2024
Stored XSS in graph rendering in Checkmk
Severity CVSS v4.0: Pending analysis
Last modification:
04/12/2024

CVE-2023-5692
Publication date:
05/04/2024
WordPress Core is vulnerable to Sensitive Information Exposure in versions up to, and including, 6.4.3 via the redirect_guess_404_permalink function. This can allow unauthenticated attackers to expose the slug of a custom post whose 'publicly_queryable' post status has been set to 'false'.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2023-6523
Publication date:
05/04/2024
Authorization Bypass Through User-Controlled Key vulnerability in ExtremePacs Extreme XDS allows Authentication Abuse.This issue affects Extreme XDS: before 3914.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2024-31083
Publication date:
05/04/2024
A use-after-free vulnerability was found in the ProcRenderAddGlyphs() function of Xorg servers. This issue occurs when AllocateGlyph() is called to store new glyphs sent by the client to the X server, potentially resulting in multiple entries pointing to the same non-refcounted glyphs. Consequently, ProcRenderAddGlyphs() may free a glyph, leading to a use-after-free scenario when the same glyph pointer is subsequently accessed. This flaw allows an authenticated attacker to execute arbitrary code on the system by sending a specially crafted request.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2023-6522
Publication date:
05/04/2024
Incorrect Use of Privileged APIs vulnerability in ExtremePacs Extreme XDS allows Collect Data as Provided by Users.This issue affects Extreme XDS: before 3914.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2024-21848
Publication date:
05/04/2024
Improper Access Control in Mattermost Server versions 8.1.x before 8.1.11 allows an attacker that is in a channel with an active call to keep participating in the call even if they are removed from the channel<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
13/12/2024

CVE-2024-26813
Publication date:
05/04/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> vfio/platform: Create persistent IRQ handlers<br /> <br /> The vfio-platform SET_IRQS ioctl currently allows loopback triggering of<br /> an interrupt before a signaling eventfd has been configured by the user,<br /> which thereby allows a NULL pointer dereference.<br /> <br /> Rather than register the IRQ relative to a valid trigger, register all<br /> IRQs in a disabled state in the device open path. This allows mask<br /> operations on the IRQ to nest within the overall enable state governed<br /> by a valid eventfd signal. This decouples @masked, protected by the<br /> @locked spinlock from @trigger, protected via the @igate mutex.<br /> <br /> In doing so, it&amp;#39;s guaranteed that changes to @trigger cannot race the<br /> IRQ handlers because the IRQ handler is synchronously disabled before<br /> modifying the trigger, and loopback triggering of the IRQ via ioctl is<br /> safe due to serialization with trigger changes via igate.<br /> <br /> For compatibility, request_irq() failures are maintained to be local to<br /> the SET_IRQS ioctl rather than a fatal error in the open device path.<br /> This allows, for example, a userspace driver with polling mode support<br /> to continue to work regardless of moving the request_irq() call site.<br /> This necessarily blocks all SET_IRQS access to the failed index.
Severity CVSS v4.0: Pending analysis
Last modification:
20/12/2024

CVE-2024-26814
Publication date:
05/04/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> vfio/fsl-mc: Block calling interrupt handler without trigger<br /> <br /> The eventfd_ctx trigger pointer of the vfio_fsl_mc_irq object is<br /> initially NULL and may become NULL if the user sets the trigger<br /> eventfd to -1. The interrupt handler itself is guaranteed that<br /> trigger is always valid between request_irq() and free_irq(), but<br /> the loopback testing mechanisms to invoke the handler function<br /> need to test the trigger. The triggering and setting ioctl paths<br /> both make use of igate and are therefore mutually exclusive.<br /> <br /> The vfio-fsl-mc driver does not make use of irqfds, nor does it<br /> support any sort of masking operations, therefore unlike vfio-pci<br /> and vfio-platform, the flow can remain essentially unchanged.
Severity CVSS v4.0: Pending analysis
Last modification:
27/03/2025
Subscribe to Vulnerabilities