Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-8653
Publication date:
19/09/2024
A vulnerability in NetCat CMS allows an attacker to execute JavaScript code in a user&amp;#39;s browser when they visit specific paths on the site.<br /> This issue affects NetCat CMS v. 6.4.0.24126.2 and possibly others.<br /> <br /> Apply patch from vendor https://netcat.ru/ https://netcat.ru/] . Versions 6.4.0.24248 and on have the patch.
Severity CVSS v4.0: Pending analysis
Last modification:
23/09/2024

CVE-2024-31570
Publication date:
19/09/2024
libfreeimage in FreeImage 3.4.0 through 3.18.0 has a stack-based buffer overflow in the PluginXPM.cpp Load function via an XPM file.
Severity CVSS v4.0: Pending analysis
Last modification:
25/09/2024

CVE-2024-38016
Publication date:
19/09/2024
Microsoft Office Visio Remote Code Execution Vulnerability
Severity CVSS v4.0: Pending analysis
Last modification:
24/09/2024

CVE-2024-8375
Publication date:
19/09/2024
There exists a use after free vulnerability in Reverb. Reverb supports the VARIANT datatype, which is supposed to represent an arbitrary object in C++. When a tensor proto of type VARIANT is unpacked, memory is first allocated to store the entire tensor, and a ctor is called on each instance. Afterwards, Reverb copies the content in tensor_content to the previously mentioned pre-allocated memory, which results in the bytes in tensor_content overwriting the vtable pointers of all the objects which were previously allocated. Reverb exposes 2 relevant gRPC endpoints: InsertStream and SampleStream. The attacker can insert this stream into the server’s database, then when the client next calls SampleStream they will unpack the tensor into RAM, and when any method on that object is called (including its destructor) the attacker gains control of the Program Counter. We recommend upgrading past git commit  https://github.com/google-deepmind/reverb/commit/6a0dcf4c9e842b7f999912f792aaa6f6bd261a25
Severity CVSS v4.0: MEDIUM
Last modification:
22/07/2025

CVE-2024-8698
Publication date:
19/09/2024
A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for specific assertions based on the position of the signature in the XML document, rather than the Reference element used to specify the signed element. This flaw allows attackers to create crafted responses that can bypass the validation, potentially leading to privilege escalation or impersonation attacks.
Severity CVSS v4.0: Pending analysis
Last modification:
12/12/2024

CVE-2024-8883
Publication date:
19/09/2024
A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a &amp;#39;Valid Redirect URI&amp;#39; is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking.
Severity CVSS v4.0: Pending analysis
Last modification:
26/11/2024

CVE-2024-45861
Publication date:
19/09/2024
Kastle Systems firmware prior to May 1, 2024, contained a hard-coded credential, which if accessed may allow an attacker to access sensitive information.
Severity CVSS v4.0: Pending analysis
Last modification:
30/09/2024

CVE-2024-45862
Publication date:
19/09/2024
Kastle Systems firmware prior to May 1, 2024, stored machine credentials in cleartext, which may allow an attacker to access sensitive information.
Severity CVSS v4.0: Pending analysis
Last modification:
30/09/2024

CVE-2024-7736
Publication date:
19/09/2024
A reflected Cross-site Scripting (XSS) vulnerability affecting ENOVIA Collaborative Industry Innovator from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2024x allows an attacker to execute arbitrary script code in user&amp;#39;s browser session.
Severity CVSS v4.0: Pending analysis
Last modification:
22/10/2025

CVE-2024-7737
Publication date:
19/09/2024
A stored Cross-site Scripting (XSS) vulnerability affecting 3DSwym in 3DSwymer from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2024x allows an attacker to execute arbitrary script code in user&amp;#39;s browser session.
Severity CVSS v4.0: Pending analysis
Last modification:
20/09/2024

CVE-2024-45752
Publication date:
19/09/2024
logiops through 0.3.4, in its default configuration, allows any unprivileged user to configure its logid daemon via an unrestricted D-Bus service, including setting malicious keyboard macros. This allows for privilege escalation with minimal user interaction.
Severity CVSS v4.0: Pending analysis
Last modification:
25/09/2024

CVE-2024-7785
Publication date:
19/09/2024
Improper Neutralization of Input During Web Page Generation (XSS or &amp;#39;Cross-site Scripting&amp;#39;) vulnerability in Ece Software Electronic Ticket System allows Reflected XSS, Cross-Site Scripting (XSS).This issue affects Electronic Ticket System: before 2024.08.
Severity CVSS v4.0: Pending analysis
Last modification:
20/09/2024
Subscribe to Vulnerabilities