Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-10995
Publication date:
08/11/2024
A vulnerability was found in Codezips Hospital Appointment System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /removeDoctorResult.php. The manipulation of the argument Name leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
13/11/2024

CVE-2024-10269
Publication date:
08/11/2024
The Easy SVG Support plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API SVG File uploads in all versions up to, and including, 3.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
Severity CVSS v4.0: Pending analysis
Last modification:
13/11/2024

CVE-2024-50207
Publication date:
08/11/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ring-buffer: Fix reader locking when changing the sub buffer order<br /> <br /> The function ring_buffer_subbuf_order_set() updates each<br /> ring_buffer_per_cpu and installs new sub buffers that match the requested<br /> page order. This operation may be invoked concurrently with readers that<br /> rely on some of the modified data, such as the head bit (RB_PAGE_HEAD), or<br /> the ring_buffer_per_cpu.pages and reader_page pointers. However, no<br /> exclusive access is acquired by ring_buffer_subbuf_order_set(). Modifying<br /> the mentioned data while a reader also operates on them can then result in<br /> incorrect memory access and various crashes.<br /> <br /> Fix the problem by taking the reader_lock when updating a specific<br /> ring_buffer_per_cpu in ring_buffer_subbuf_order_set().
Severity CVSS v4.0: Pending analysis
Last modification:
01/10/2025

CVE-2024-50211
Publication date:
08/11/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> udf: refactor inode_bmap() to handle error<br /> <br /> Refactor inode_bmap() to handle error since udf_next_aext() can return<br /> error now. On situations like ftruncate, udf_extend_file() can now<br /> detect errors and bail out early without resorting to checking for<br /> particular offsets and assuming internal behavior of these functions.
Severity CVSS v4.0: Pending analysis
Last modification:
01/10/2025

CVE-2024-7982
Publication date:
08/11/2024
The Registrations for the Events Calendar WordPress plugin before 2.12.4 does not sanitise and escape some parameters when accepting event registrations, which could allow unauthenticated users to perform Cross-Site Scripting attacks.
Severity CVSS v4.0: Pending analysis
Last modification:
15/05/2025

CVE-2024-50208
Publication date:
08/11/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/bnxt_re: Fix a bug while setting up Level-2 PBL pages<br /> <br /> Avoid memory corruption while setting up Level-2 PBL pages for the non MR<br /> resources when num_pages &gt; 256K.<br /> <br /> There will be a single PDE page address (contiguous pages in the case of &gt;<br /> PAGE_SIZE), but, current logic assumes multiple pages, leading to invalid<br /> memory access after 256K PBL entries in the PDE.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2024-50209
Publication date:
08/11/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/bnxt_re: Add a check for memory allocation<br /> <br /> __alloc_pbl() can return error when memory allocation fails.<br /> Driver is not checking the status on one of the instances.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2024-50210
Publication date:
08/11/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> posix-clock: posix-clock: Fix unbalanced locking in pc_clock_settime()<br /> <br /> If get_clock_desc() succeeds, it calls fget() for the clockid&amp;#39;s fd,<br /> and get the clk-&gt;rwsem read lock, so the error path should release<br /> the lock to make the lock balance and fput the clockid&amp;#39;s fd to make<br /> the refcount balance and release the fd related resource.<br /> <br /> However the below commit left the error path locked behind resulting in<br /> unbalanced locking. Check timespec64_valid_strict() before<br /> get_clock_desc() to fix it, because the "ts" is not changed<br /> after that.<br /> <br /> [pabeni@redhat.com: fixed commit message typo]
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2024-50197
Publication date:
08/11/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> pinctrl: intel: platform: fix error path in device_for_each_child_node()<br /> <br /> The device_for_each_child_node() loop requires calls to<br /> fwnode_handle_put() upon early returns to decrement the refcount of<br /> the child node and avoid leaking memory if that error path is triggered.<br /> <br /> There is one early returns within that loop in<br /> intel_platform_pinctrl_prepare_community(), but fwnode_handle_put() is<br /> missing.<br /> <br /> Instead of adding the missing call, the scoped version of the loop can<br /> be used to simplify the code and avoid mistakes in the future if new<br /> early returns are added, as the child node is only used for parsing, and<br /> it is never assigned.
Severity CVSS v4.0: Pending analysis
Last modification:
01/10/2025

CVE-2024-50203
Publication date:
08/11/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf, arm64: Fix address emission with tag-based KASAN enabled<br /> <br /> When BPF_TRAMP_F_CALL_ORIG is enabled, the address of a bpf_tramp_image<br /> struct on the stack is passed during the size calculation pass and<br /> an address on the heap is passed during code generation. This may<br /> cause a heap buffer overflow if the heap address is tagged because<br /> emit_a64_mov_i64() will emit longer code than it did during the size<br /> calculation pass. The same problem could occur without tag-based<br /> KASAN if one of the 16-bit words of the stack address happened to<br /> be all-ones during the size calculation pass. Fix the problem by<br /> assuming the worst case (4 instructions) when calculating the size<br /> of the bpf_tramp_image address emission.
Severity CVSS v4.0: Pending analysis
Last modification:
22/05/2025

CVE-2024-50204
Publication date:
08/11/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs: don&amp;#39;t try and remove empty rbtree node<br /> <br /> When copying a namespace we won&amp;#39;t have added the new copy into the<br /> namespace rbtree until after the copy succeeded. Calling free_mnt_ns()<br /> will try to remove the copy from the rbtree which is invalid. Simply<br /> free the namespace skeleton directly.
Severity CVSS v4.0: Pending analysis
Last modification:
01/10/2025

CVE-2024-50206
Publication date:
08/11/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: ethernet: mtk_eth_soc: fix memory corruption during fq dma init<br /> <br /> The loop responsible for allocating up to MTK_FQ_DMA_LENGTH buffers must<br /> only touch as many descriptors, otherwise it ends up corrupting unrelated<br /> memory. Fix the loop iteration count accordingly.
Severity CVSS v4.0: Pending analysis
Last modification:
01/10/2025
Subscribe to Vulnerabilities