Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-27088

Publication date:
26/02/2024
es5-ext contains ECMAScript 5 extensions. Passing functions with very long names or complex default argument names into `function#copy` or `function#toStringTokens` may cause the script to stall. The vulnerability is patched in v0.10.63.
Severity CVSS v4.0: Pending analysis
Last modification:
05/02/2025

CVE-2024-27081

Publication date:
26/02/2024
ESPHome is a system to control your ESP8266/ESP32. A security misconfiguration in the edit configuration file API in the dashboard component of ESPHome version 2023.12.9 (command line installation) allows authenticated remote attackers to read and write arbitrary files under the configuration directory rendering remote code execution possible. This vulnerability is patched in 2024.2.1.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
07/02/2025

CVE-2024-27087

Publication date:
26/02/2024
Kirby is a content management system. The new link field introduced in Kirby 4 allows several different link types that each validate the entered link to the relevant URL format. It also includes a "Custom" link type for advanced use cases that don&amp;#39;t fit any of the pre-defined link formats. As the "Custom" link type is meant to be flexible, it also allows the javascript: URL scheme. In some use cases this can be intended, but it can also be misused by attackers to execute arbitrary JavaScript code when a user or visitor clicks on a link that is generated from the contents of the link field. This vulnerability is patched in 4.1.1.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
31/12/2024

CVE-2024-24402

Publication date:
26/02/2024
An issue in Nagios XI 2024R1.01 allows a remote attacker to escalate privileges via a crafted script to the /usr/local/nagios/bin/npcd component.
Severity CVSS v4.0: Pending analysis
Last modification:
24/03/2025

CVE-2024-25767

Publication date:
26/02/2024
nanomq 0.21.2 contains a Use-After-Free vulnerability in /nanomq/nng/src/core/socket.c.
Severity CVSS v4.0: Pending analysis
Last modification:
01/05/2025

CVE-2024-24401

Publication date:
26/02/2024
SQL Injection vulnerability in Nagios XI 2024R1.01 allows a remote attacker to execute arbitrary code via a crafted payload to the monitoringwizard.php component.
Severity CVSS v4.0: Pending analysis
Last modification:
27/06/2025

CVE-2024-26603

Publication date:
26/02/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> x86/fpu: Stop relying on userspace for info to fault in xsave buffer<br /> <br /> Before this change, the expected size of the user space buffer was<br /> taken from fx_sw-&gt;xstate_size. fx_sw-&gt;xstate_size can be changed<br /> from user-space, so it is possible construct a sigreturn frame where:<br /> <br /> * fx_sw-&gt;xstate_size is smaller than the size required by valid bits in<br /> fx_sw-&gt;xfeatures.<br /> * user-space unmaps parts of the sigrame fpu buffer so that not all of<br /> the buffer required by xrstor is accessible.<br /> <br /> In this case, xrstor tries to restore and accesses the unmapped area<br /> which results in a fault. But fault_in_readable succeeds because buf +<br /> fx_sw-&gt;xstate_size is within the still mapped area, so it goes back and<br /> tries xrstor again. It will spin in this loop forever.<br /> <br /> Instead, fault in the maximum size which can be touched by XRSTOR (taken<br /> from fpstate-&gt;user_size).<br /> <br /> [ dhansen: tweak subject / changelog ]
Severity CVSS v4.0: Pending analysis
Last modification:
17/04/2024

CVE-2024-26604

Publication date:
26/02/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Revert "kobject: Remove redundant checks for whether ktype is NULL"<br /> <br /> This reverts commit 1b28cb81dab7c1eedc6034206f4e8d644046ad31.<br /> <br /> It is reported to cause problems, so revert it for now until the root<br /> cause can be found.
Severity CVSS v4.0: Pending analysis
Last modification:
17/04/2024

CVE-2024-26605

Publication date:
26/02/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> PCI/ASPM: Fix deadlock when enabling ASPM<br /> <br /> A last minute revert in 6.7-final introduced a potential deadlock when<br /> enabling ASPM during probe of Qualcomm PCIe controllers as reported by<br /> lockdep:<br /> <br /> ============================================<br /> WARNING: possible recursive locking detected<br /> 6.7.0 #40 Not tainted<br /> --------------------------------------------<br /> kworker/u16:5/90 is trying to acquire lock:<br /> ffffacfa78ced000 (pci_bus_sem){++++}-{3:3}, at: pcie_aspm_pm_state_change+0x58/0xdc<br /> <br /> but task is already holding lock:<br /> ffffacfa78ced000 (pci_bus_sem){++++}-{3:3}, at: pci_walk_bus+0x34/0xbc<br /> <br /> other info that might help us debug this:<br /> Possible unsafe locking scenario:<br /> <br /> CPU0<br /> ----<br /> lock(pci_bus_sem);<br /> lock(pci_bus_sem);<br /> <br /> *** DEADLOCK ***<br /> <br /> Call trace:<br /> print_deadlock_bug+0x25c/0x348<br /> __lock_acquire+0x10a4/0x2064<br /> lock_acquire+0x1e8/0x318<br /> down_read+0x60/0x184<br /> pcie_aspm_pm_state_change+0x58/0xdc<br /> pci_set_full_power_state+0xa8/0x114<br /> pci_set_power_state+0xc4/0x120<br /> qcom_pcie_enable_aspm+0x1c/0x3c [pcie_qcom]<br /> pci_walk_bus+0x64/0xbc<br /> qcom_pcie_host_post_init_2_7_0+0x28/0x34 [pcie_qcom]<br /> <br /> The deadlock can easily be reproduced on machines like the Lenovo ThinkPad<br /> X13s by adding a delay to increase the race window during asynchronous<br /> probe where another thread can take a write lock.<br /> <br /> Add a new pci_set_power_state_locked() and associated helper functions that<br /> can be called with the PCI bus semaphore held to avoid taking the read lock<br /> twice.
Severity CVSS v4.0: Pending analysis
Last modification:
28/04/2024

CVE-2024-27359

Publication date:
26/02/2024
Certain WithSecure products allow a Denial of Service because the engine scanner can go into an infinite loop when processing an archive file. This affects WithSecure Client Security 15, WithSecure Server Security 15, WithSecure Email and Server Security 15, WithSecure Elements Endpoint Protection 17 and later, WithSecure Client Security for Mac 15, WithSecure Elements Endpoint Protection for Mac 17 and later, WithSecure Linux Security 64 12.0, WithSecure Linux Protection 12.0, and WithSecure Atlant 1.0.35-1.
Severity CVSS v4.0: Pending analysis
Last modification:
05/08/2024

CVE-2024-27454

Publication date:
26/02/2024
orjson.loads in orjson before 3.9.15 does not limit recursion for deeply nested JSON documents.
Severity CVSS v4.0: Pending analysis
Last modification:
02/08/2024

CVE-2024-27455

Publication date:
26/02/2024
In the Bentley ALIM Web application, certain configuration settings can cause exposure of a user&amp;#39;s ALIM session token when the user attempts to download files. This is fixed in Assetwise ALIM Web 23.00.04.04 and Assetwise Information Integrity Server 23.00.02.03.
Severity CVSS v4.0: Pending analysis
Last modification:
14/08/2024