Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-0793

Publication date:

17/11/2024

A flaw was found in kube-controller-manager. This issue occurs when the initial application of a HPA config YAML lacking a .spec.behavior.scaleUp block causes a denial of service due to KCM pods going into restart churn.

Severity CVSS v4.0: Pending analysis

Last modification:

18/11/2024

CVE-2023-0657

Publication date:

17/11/2024

A flaw was found in Keycloak. This issue occurs due to improperly enforcing token types when validating signatures locally. This could allow an authenticated attacker to exchange a logout token for an access token and possibly gain access to data outside of enforced permissions.

Severity CVSS v4.0: Pending analysis

Last modification:

18/11/2024

CVE-2023-1419

Publication date:

17/11/2024

A script injection vulnerability was found in the Debezium database connector, where it does not properly sanitize some parameters. This flaw allows an attacker to send a malicious request to inject a parameter that may allow the viewing of unauthorized data.

Severity CVSS v4.0: Pending analysis

Last modification:

18/11/2024

CVE-2023-4639

Publication date:

17/11/2024

A flaw was found in Undertow, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values, leading to unauthorized data access or modification. The main threat from this flaw impacts data confidentiality and integrity.

Severity CVSS v4.0: Pending analysis

Last modification:

07/02/2025

CVE-2020-25720

Publication date:

17/11/2024

A vulnerability was found in Samba where a delegated administrator with permission to create objects in Active Directory can write to all attributes of the newly created object, including security-sensitive attributes, even after the object&#39;s creation. This issue occurs because the administrator owns the object due to the lack of an Access Control List (ACL) at the time of creation and later being recognized as the &#39;creator owner.&#39; The retained significant rights of the delegated administrator may not be well understood, potentially leading to unintended privilege escalation or security risks.

Severity CVSS v4.0: Pending analysis

Last modification:

18/11/2024

CVE-2024-52876

Publication date:

17/11/2024

Holy Stone Remote ID Module HSRID01, firmware distributed with the Drone Go2 mobile application before 1.1.8, allows unauthenticated "remote power off" actions (in broadcast mode) via multiple read operations on the ASTM Remote ID (0xFFFA) GATT.

Severity CVSS v4.0: Pending analysis

Last modification:

18/11/2024

CVE-2024-52872

Publication date:

17/11/2024

In Flagsmith before 2.134.1, the get_document endpoint is not correctly protected by permissions.

Severity CVSS v4.0: Pending analysis

Last modification:

07/07/2025

CVE-2024-52871

Publication date:

17/11/2024

In Flagsmith before 2.134.1, it is possible to bypass the ALLOW_REGISTRATION_WITHOUT_INVITE setting.

Severity CVSS v4.0: Pending analysis

Last modification:

07/07/2025

CVE-2024-52867

Publication date:

17/11/2024

guix-daemon in GNU Guix before 5ab3c4c allows privilege escalation because build outputs are accessible by local users before file metadata concerns (e.g., for setuid and setgid programs) are properly addressed. The vulnerability can be remediated within the product via certain pull, reconfigure, and restart actions. Both 5ab3c4c and 5582241 are needed to resolve the vulnerability.

Severity CVSS v4.0: Pending analysis

Last modification:

21/11/2024

CVE-2024-52397

Publication date:

16/11/2024

Unrestricted Upload of File with Dangerous Type vulnerability in Davor Zeljkovic Convert Docx2post allows Upload a Web Shell to a Web Server.This issue affects Convert Docx2post: from n/a through 1.4.

Severity CVSS v4.0: Pending analysis

Last modification:

18/11/2024

CVE-2024-52416

Publication date:

16/11/2024

Missing Authorization vulnerability in Eugen Bobrowski Debug Tool allows Upload a Web Shell to a Web Server.This issue affects Debug Tool: from n/a through 2.2.

Severity CVSS v4.0: Pending analysis

Last modification:

18/11/2024

CVE-2024-52411

Publication date:

16/11/2024

Deserialization of Untrusted Data vulnerability in Flowcraft UX Design Studio Advanced Personalization allows Object Injection.This issue affects Advanced Personalization: from n/a through 1.1.2.

Severity CVSS v4.0: Pending analysis

Last modification:

18/11/2024

Subscribe to Vulnerabilities