Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-34013
Publication date:
18/07/2024
Local privilege escalation due to OS command injection vulnerability. The following products are affected: Acronis True Image (macOS) before build 41396.
Severity CVSS v4.0: Pending analysis
Last modification:
19/07/2024

CVE-2024-31143
Publication date:
18/07/2024
An optional feature of PCI MSI called "Multiple Message" allows a<br /> device to use multiple consecutive interrupt vectors. Unlike for MSI-X,<br /> the setting up of these consecutive vectors needs to happen all in one<br /> go. In this handling an error path could be taken in different<br /> situations, with or without a particular lock held. This error path<br /> wrongly releases the lock even when it is not currently held.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
26/04/2025

CVE-2024-29178
Publication date:
18/07/2024
On versions before 2.1.4, a user could log in and perform a template injection attack resulting in Remote Code Execution on the server, The attacker must successfully log into the system to launch an attack, so this is a moderate-impact vulnerability.<br /> <br /> Mitigation:<br /> <br /> all users should upgrade to 2.1.4
Severity CVSS v4.0: Pending analysis
Last modification:
13/02/2025

CVE-2024-40898
Publication date:
18/07/2024
SSRF in Apache HTTP Server on Windows with mod_rewrite in server/vhost context, allows to potentially leak NTML hashes to a malicious server via SSRF and malicious requests.<br /> <br /> Users are recommended to upgrade to version 2.4.62 which fixes this issue. 
Severity CVSS v4.0: Pending analysis
Last modification:
08/08/2024

CVE-2024-6504
Publication date:
18/07/2024
Rapid7 InsightVM Console versions below 6.6.260 suffer from a protection mechanism failure whereby an attacker with network access to the InsightVM Console can cause it to overload or crash by sending repeated invalid REST requests in a short timeframe, to the Console&amp;#39;s port 443 causing the console to enter an exception handling logging loop, exhausting the CPU. There is no indication that an attacker can use this method to escalate privilege, acquire unauthorized access to data, or gain control of protected resources. This issue is fixed in version 6.6.261.
Severity CVSS v4.0: Pending analysis
Last modification:
10/09/2024

CVE-2024-40725
Publication date:
18/07/2024
A partial fix for  CVE-2024-39884 in the core of Apache HTTP Server 2.4.61 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted.<br /> <br /> Users are recommended to upgrade to version 2.4.62, which fixes this issue.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
14/03/2025

CVE-2024-5554
Publication date:
18/07/2024
The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid &amp; Carousel, Remote Arrows) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘onclick_event’ parameter in all versions up to, and including, 5.6.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
22/08/2024

CVE-2024-5555
Publication date:
18/07/2024
The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid &amp; Carousel, Remote Arrows) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘social-link-title’ parameter in all versions up to, and including, 5.6.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
22/08/2024

CVE-2024-3242
Publication date:
18/07/2024
The Brizy – Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file extension validation in the validateImageContent function called via storeImages in all versions up to, and including, 2.4.43. This makes it possible for authenticated attackers, with contributor access and above, to upload arbitrary files on the affected site&amp;#39;s server which may make remote code execution possible. Version 2.4.44 prevents the upload of files ending in .sh and .php. Version 2.4.45 fully patches the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
16/01/2025

CVE-2024-29014
Publication date:
18/07/2024
Vulnerability in SonicWall SMA100 NetExtender Windows (32 and 64-bit) client 10.2.339 and earlier versions allows an attacker to arbitrary code execution when processing an EPC Client update.
Severity CVSS v4.0: Pending analysis
Last modification:
10/09/2024

CVE-2024-40764
Publication date:
18/07/2024
Heap-based buffer overflow vulnerability in the SonicOS IPSec VPN allows an unauthenticated remote attacker to cause Denial of Service (DoS).
Severity CVSS v4.0: Pending analysis
Last modification:
10/09/2024

CVE-2024-41011
Publication date:
18/07/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amdkfd: don&amp;#39;t allow mapping the MMIO HDP page with large pages<br /> <br /> We don&amp;#39;t get the right offset in that case. The GPU has<br /> an unused 4K area of the register BAR space into which you can<br /> remap registers. We remap the HDP flush registers into this<br /> space to allow userspace (CPU or GPU) to flush the HDP when it<br /> updates VRAM. However, on systems with &gt;4K pages, we end up<br /> exposing PAGE_SIZE of MMIO space.
Severity CVSS v4.0: Pending analysis
Last modification:
06/09/2024
Subscribe to Vulnerabilities