Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-9464

Publication date:

09/10/2024

An OS command injection vulnerability in Palo Alto Networks Expedition allows an authenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.

Severity CVSS v4.0: CRITICAL

Last modification:

17/10/2024

CVE-2024-9466

Publication date:

09/10/2024

A cleartext storage of sensitive information vulnerability in Palo Alto Networks Expedition allows an authenticated attacker to reveal firewall usernames, passwords, and API keys generated using those credentials.

Severity CVSS v4.0: HIGH

Last modification:

17/10/2024

CVE-2024-9467

Publication date:

09/10/2024

A reflected XSS vulnerability in Palo Alto Networks Expedition enables execution of malicious JavaScript in the context of an authenticated Expedition user&#39;s browser if that user clicks on a malicious link, allowing phishing attacks that could lead to Expedition browser session theft.

Severity CVSS v4.0: HIGH

Last modification:

15/10/2024

CVE-2024-9469

Publication date:

09/10/2024

A problem with a detection mechanism in the Palo Alto Networks Cortex XDR agent on Windows devices enables a user with Windows non-administrative privileges to disable the agent. This issue may be leveraged by malware to disable the Cortex XDR agent and then to perform malicious activity.

Severity CVSS v4.0: MEDIUM

Last modification:

15/10/2024

CVE-2024-9470

Publication date:

09/10/2024

A vulnerability in Cortex XSOAR allows the disclosure of incident data to users who do not have the privilege to view the data.

Severity CVSS v4.0: Pending analysis

Last modification:

10/10/2024

CVE-2024-9465

Publication date:

09/10/2024

An SQL injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys. With this, attackers can also create and read arbitrary files on the Expedition system.

Severity CVSS v4.0: CRITICAL

Last modification:

04/11/2025

CVE-2024-9468

Publication date:

09/10/2024

A memory corruption vulnerability in Palo Alto Networks PAN-OS software allows an unauthenticated attacker to crash PAN-OS due to a crafted packet through the data plane, resulting in a denial of service (DoS) condition. Repeated attempts to trigger this condition will result in PAN-OS entering maintenance mode.

Severity CVSS v4.0: HIGH

Last modification:

01/12/2025

CVE-2024-43610

Publication date:

09/10/2024

Exposure of Sensitive Information to an Unauthorized Actor in Copilot Studio allows a unauthenticated attacker to view sensitive information through network attack vector

Severity CVSS v4.0: Pending analysis

Last modification:

10/01/2025

CVE-2024-45746

Publication date:

09/10/2024

An issue was discovered in Trusted Firmware-M through 2.1.0. User provided (and controlled) mailbox messages contain a pointer to a list of input arguments (in_vec) and output arguments (out_vec). These list pointers are never validated. Each argument list contains a buffer pointer and a buffer length field. After a PSA call, the length of the output arguments behind the unchecked pointer is updated in mailbox_direct_reply, regardless of the call result. This allows an attacker to write anywhere in the secure firmware, which can be used to take over the control flow, leading to remote code execution (RCE).

Severity CVSS v4.0: Pending analysis

Last modification:

11/10/2024

CVE-2024-46307

Publication date:

09/10/2024

A loop hole in the payment logic of Sparkshop v1.16 allows attackers to arbitrarily modify the number of products.

Severity CVSS v4.0: Pending analysis

Last modification:

15/10/2024

CVE-2024-9463

Publication date:

09/10/2024

An OS command injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.

Severity CVSS v4.0: CRITICAL

Last modification:

04/11/2025

CVE-2024-42988

Publication date:

09/10/2024

Lack of access control in ChallengeSolves (/api/v1/challenges//solves) of CTFd v2.0.0 - v3.7.2 allows authenticated users to retrieve a list of users who have solved the challenge, regardless of the Account Visibility settings. The issue is fixed in v3.7.3+.

Severity CVSS v4.0: Pending analysis

Last modification:

10/02/2025

Subscribe to Vulnerabilities