Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-3370
Publication date:
18/11/2024
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Egebilgi Software Website Template allows SQL Injection.This issue affects Website Template: before 29.04.2024.
Severity CVSS v4.0: HIGH
Last modification:
18/11/2024

CVE-2024-52318
Publication date:
18/11/2024
Incorrect object recycling and reuse vulnerability in Apache Tomcat.<br /> <br /> This issue affects Apache Tomcat: 11.0.0, 10.1.31, 9.0.96.<br /> <br /> Users are recommended to upgrade to version 11.0.1, 10.1.32 or 9.0.97, which fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
15/05/2025

CVE-2024-48897
Publication date:
18/11/2024
A vulnerability was found in Moodle. Additional checks are required to ensure users can only edit or delete RSS feeds that they have permission to modify.
Severity CVSS v4.0: Pending analysis
Last modification:
20/11/2024

CVE-2024-48896
Publication date:
18/11/2024
A vulnerability was found in Moodle. It is possible for users with the "send message" capability to view other users&amp;#39; names that they may not otherwise have access to via an error message in Messaging. Note: The name returned follows the full name format configured on the site.
Severity CVSS v4.0: Pending analysis
Last modification:
20/11/2024

CVE-2024-48898
Publication date:
18/11/2024
A vulnerability was found in Moodle. Users with access to delete audiences from reports could delete audiences from other reports that they do not have permission to delete from.
Severity CVSS v4.0: Pending analysis
Last modification:
20/11/2024

CVE-2024-48901
Publication date:
18/11/2024
A vulnerability was found in Moodle. Additional checks are required to ensure users can only access the schedule of a report if they have permission to edit that report.
Severity CVSS v4.0: Pending analysis
Last modification:
20/11/2024

CVE-2024-52317
Publication date:
18/11/2024
Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request and response used by HTTP/2 requests <br /> could lead to request and/or response mix-up between users.<br /> <br /> This issue affects Apache Tomcat: from 11.0.0-M23 through 11.0.0-M26, from 10.1.27 through 10.1.30, from 9.0.92 through 9.0.95.<br /> <br /> Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
15/05/2025

CVE-2024-52316
Publication date:
18/11/2024
Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way.<br /> <br /> This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95.<br /> <br /> The following versions were EOL at the time the CVE was created but are <br /> known to be affected: 8.5.0 though 8.5.100. Other EOL versions may also be affected.<br /> <br /> <br /> Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2025

CVE-2024-11319
Publication date:
18/11/2024
Improper Neutralization of Input During Web Page Generation (XSS or &amp;#39;Cross-site Scripting&amp;#39;) vulnerability in django CMS Association django-cms allows Cross-Site Scripting (XSS).This issue affects django-cms: 3.11.7, 3.11.8, 4.1.2, 4.1.3.
Severity CVSS v4.0: CRITICAL
Last modification:
12/09/2025

CVE-2024-11023
Publication date:
18/11/2024
Firebase JavaScript SDK utilizes a "FIREBASE_DEFAULTS" cookie to store configuration data, including an "_authTokenSyncURL" field used for session synchronization. If this cookie field is preset via an attacker by any other method, the attacker can manipulate the "_authTokenSyncURL" to point to their own server and it would allow an actor to capture user session data transmitted by the SDK. We recommend upgrading Firebase JS SDK at least to 10.9.0.
Severity CVSS v4.0: MEDIUM
Last modification:
23/07/2025

CVE-2024-42389
Publication date:
18/11/2024
Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and force the application to read unintended heap memory space.
Severity CVSS v4.0: Pending analysis
Last modification:
19/11/2024

CVE-2024-42390
Publication date:
18/11/2024
Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and force the application to read unintended heap memory space.
Severity CVSS v4.0: Pending analysis
Last modification:
19/11/2024
Subscribe to Vulnerabilities