Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-6071

Publication date:
27/06/2024
PTC Creo Elements/Direct License Server exposes a web interface which can be used by unauthenticated remote attackers to execute arbitrary OS commands on the server.
Severity CVSS v4.0: Pending analysis
Last modification:
28/06/2024

CVE-2016-20022

Publication date:
27/06/2024
In the Linux kernel before 4.8, usb_parse_endpoint in drivers/usb/core/config.c does not validate the wMaxPacketSize field of an endpoint descriptor. NOTE: This vulnerability only affects products that are no longer supported by the supplier.
Severity CVSS v4.0: Pending analysis
Last modification:
13/03/2025

CVE-2023-52892

Publication date:
27/06/2024
In phpseclib before 1.0.22, 2.x before 2.0.46, and 3.x before 3.0.33, some characters in Subject Alternative Name fields in TLS certificates are incorrectly allowed to have a special meaning in regular expressions (such as a + wildcard), leading to name confusion in X.509 certificate host verification.
Severity CVSS v4.0: Pending analysis
Last modification:
21/08/2024

CVE-2024-36059

Publication date:
27/06/2024
Directory Traversal vulnerability in Kalkitech ASE ASE61850 IEDSmart upto and including version 2.3.5 allows attackers to read/write arbitrary files via the IEC61850 File Transfer protocol.
Severity CVSS v4.0: Pending analysis
Last modification:
09/07/2024

CVE-2024-39705

Publication date:
27/06/2024
NLTK through 3.8.1 allows remote code execution if untrusted packages have pickled Python code, and the integrated data package download functionality is used. This affects, for example, averaged_perceptron_tagger and punkt.
Severity CVSS v4.0: Pending analysis
Last modification:
15/09/2024

CVE-2024-4395

Publication date:
27/06/2024
The XPC service within the audit functionality of Jamf Compliance Editor before version 1.3.1 on macOS can lead to local privilege escalation.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2024

CVE-2024-5642

Publication date:
27/06/2024
CPython 3.9 and earlier doesn't disallow configuring an empty list ("[]") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured).
Severity CVSS v4.0: Pending analysis
Last modification:
06/11/2024

CVE-2024-2973

Publication date:
27/06/2024
An Authentication Bypass Using an Alternate Path or Channel vulnerability in Juniper Networks Session Smart Router or conductor running with a redundant peer allows a network based attacker to bypass authentication and take full control of the device.<br /> Only routers or conductors that are running in high-availability redundant configurations are affected by this vulnerability.<br /> <br /> <br /> <br /> <br /> No other Juniper Networks products or platforms are affected by this issue.<br /> <br /> <br /> <br /> <br /> <br /> This issue affects:<br /> <br /> Session Smart Router: <br /> <br /> <br /> <br /> * All versions before 5.6.15, <br /> * from 6.0 before 6.1.9-lts, <br /> * from 6.2 before 6.2.5-sts.<br /> <br /> <br /> <br /> Session Smart Conductor: <br /> <br /> <br /> <br /> * All versions before 5.6.15, <br /> * from 6.0 before 6.1.9-lts, <br /> * from 6.2 before 6.2.5-sts. <br /> <br /> <br /> <br /> WAN Assurance Router: <br /> <br /> <br /> <br /> * 6.0 versions before 6.1.9-lts, <br /> * 6.2 versions before 6.2.5-sts.
Severity CVSS v4.0: Pending analysis
Last modification:
28/06/2024

CVE-2024-36072

Publication date:
27/06/2024
Netwrix CoSoSys Endpoint Protector through 5.9.3 and CoSoSys Unify through 7.0.6 contain a remote code execution vulnerability in the logging component of the Endpoint Protector and Unify server application which allows an unauthenticated remote attacker to send a malicious request, resulting in the ability to execute system commands with root privileges.
Severity CVSS v4.0: Pending analysis
Last modification:
09/07/2024

CVE-2024-36073

Publication date:
27/06/2024
Netwrix CoSoSys Endpoint Protector through 5.9.3 and CoSoSys Unify through 7.0.6 contain a remote code execution vulnerability in the shadowing component of the Endpoint Protector and Unify agent which allows an attacker with administrative access to the Endpoint Protector or Unify server to overwrite sensitive configuration and subsequently execute system commands with SYSTEM/root privileges on a chosen client endpoint.
Severity CVSS v4.0: Pending analysis
Last modification:
01/08/2024

CVE-2024-36074

Publication date:
27/06/2024
Netwrix CoSoSys Endpoint Protector through 5.9.3 and CoSoSys Unify through 7.0.6 contain a remote code execution vulnerability in the Endpoint Protector and Unify agent in the way that the EasyLock dependency is acquired from the server. An attacker with administrative access to the Endpoint Protector or Unify server can cause a client to acquire and execute a malicious file resulting in remote code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2024

CVE-2024-36075

Publication date:
27/06/2024
The CoSoSys Endpoint Protector through 5.9.3 and Unify agent through 7.0.6 is susceptible to an arbitrary code execution vulnerability due to the way an archive obtained from the Endpoint Protector or Unify server is extracted on the endpoint. An attacker who is able to modify the archive on the server could obtain remote code execution as an administrator on an endpoint.
Severity CVSS v4.0: Pending analysis
Last modification:
09/07/2024