Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-29874

Publication date:
21/03/2024
SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/default/reports/activeuserrptpdf, 'sort_name' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it.
Severity CVSS v4.0: Pending analysis
Last modification:
24/01/2025

CVE-2024-29873

Publication date:
21/03/2024
SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/reports/businessunits/format/html, 'bunitname' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it.
Severity CVSS v4.0: Pending analysis
Last modification:
24/01/2025

CVE-2024-29872

Publication date:
21/03/2024
SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/empscreening/add, 'agencyids' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it.
Severity CVSS v4.0: Pending analysis
Last modification:
24/01/2025

CVE-2024-29871

Publication date:
21/03/2024
SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/index/getdepartments/sentrifugo/index.php/index/updatecontactnumber, 'id' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it.
Severity CVSS v4.0: Pending analysis
Last modification:
24/01/2025

CVE-2024-28834

Publication date:
21/03/2024
A flaw was found in GnuTLS. The Minerva attack is a cryptographic vulnerability that exploits deterministic behavior in systems like GnuTLS, leading to side-channel leaks. In specific scenarios, such as when using the GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag, it can result in a noticeable step in nonce size from 513 to 512 bits, exposing a potential timing side-channel.
Severity CVSS v4.0: Pending analysis
Last modification:
12/09/2024

CVE-2024-29870

Publication date:
21/03/2024
SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/index/getdepartments/format/html, 'business_id' parameter./sentrifugo/index.php/index/getdepartments/format/html, 'business_id' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it.
Severity CVSS v4.0: Pending analysis
Last modification:
24/01/2025

CVE-2024-29866

Publication date:
21/03/2024
Datalust Seq before 2023.4.11151 and 2024 before 2024.1.11146 has Incorrect Access Control because a Project Owner or Organization Owner can escalate to System privileges.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2025

CVE-2024-1394

Publication date:
21/03/2024
A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs​. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey​ and ctx​. That function uses named return parameters to free pkey​ and ctx​ if there is an error initializing the context or setting the different properties. All return statements related to error cases follow the "return nil, nil, fail(...)" pattern, meaning that pkey​ and ctx​ will be nil inside the deferred function that should free them.
Severity CVSS v4.0: Pending analysis
Last modification:
13/05/2025

CVE-2024-29732

Publication date:
21/03/2024
A SQL Injection has been found on SCAN_VISIO eDocument Suite Web Viewer of Abast. This vulnerability allows an unauthenticated user to retrieve, update and delete all the information of database. This vulnerability was found on login page via "user" parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
21/03/2024

CVE-2023-52620

Publication date:
21/03/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nf_tables: disallow timeout for anonymous sets<br /> <br /> Never used from userspace, disallow these parameters.
Severity CVSS v4.0: Pending analysis
Last modification:
06/11/2024

CVE-2024-26642

Publication date:
21/03/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nf_tables: disallow anonymous set with timeout flag<br /> <br /> Anonymous sets are never used with timeout from userspace, reject this.<br /> Exception to this rule is NFT_SET_EVAL to ensure legacy meters still work.
Severity CVSS v4.0: Pending analysis
Last modification:
13/03/2025

CVE-2024-26643

Publication date:
21/03/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout<br /> <br /> While the rhashtable set gc runs asynchronously, a race allows it to<br /> collect elements from anonymous sets with timeouts while it is being<br /> released from the commit path.<br /> <br /> Mingi Cho originally reported this issue in a different path in 6.1.x<br /> with a pipapo set with low timeouts which is not possible upstream since<br /> 7395dfacfff6 ("netfilter: nf_tables: use timestamp to check for set<br /> element timeout").<br /> <br /> Fix this by setting on the dead flag for anonymous sets to skip async gc<br /> in this case.<br /> <br /> According to 08e4c8c5919f ("netfilter: nf_tables: mark newset as dead on<br /> transaction abort"), Florian plans to accelerate abort path by releasing<br /> objects via workqueue, therefore, this sets on the dead flag for abort<br /> path too.
Severity CVSS v4.0: Pending analysis
Last modification:
13/03/2025