Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-41435
Publication date:
03/09/2024
YugabyteDB v2.21.1.0 was discovered to contain a buffer overflow via the "insert into" parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2025

CVE-2024-7619
Publication date:
03/09/2024
Rejected reason: Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that there was not reasonable evidence to determine the existence of a vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
03/09/2024

CVE-2024-42902
Publication date:
03/09/2024
An issue in the js_localize.php function of LimeSurvey v6.6.2 and before allows attackers to execute arbitrary code via injecting a crafted payload into the lng parameter of the js_localize.php function
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2025

CVE-2024-42903
Publication date:
03/09/2024
A Host header injection vulnerability in the password reset function of LimeSurvey v.6.6.1+240806 and before allows attackers to send users a crafted password reset link that will direct victims to a malicious domain.
Severity CVSS v4.0: Pending analysis
Last modification:
13/03/2025

CVE-2024-42904
Publication date:
03/09/2024
A cross-site scripting (XSS) vulnerability in SysPass 3.2.x allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the name parameter at /Controllers/ClientController.php.
Severity CVSS v4.0: Pending analysis
Last modification:
13/03/2025

CVE-2024-38456
Publication date:
03/09/2024
HIGH-LEIT V05.08.01.03 and HIGH-LEIT V04.25.00.00 to 4.25.01.01 for Windows from Vivavis contain an insecure file and folder permissions vulnerability in prunsrv.exe. A regular user (non-admin) can exploit the weak folder and file permissions to escalate privileges and execute arbitrary code in the context of NT AUTHORITY\SYSTEM.
Severity CVSS v4.0: Pending analysis
Last modification:
03/09/2024

CVE-2024-42901
Publication date:
03/09/2024
A CSV injection vulnerability in Lime Survey v6.5.12 allows attackers to execute arbitrary code via uploading a crafted CSV file.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2025

CVE-2024-43412
Publication date:
03/09/2024
Xibo is an open source digital signage platform with a web content management system (CMS). Prior to version 4.1.0, a cross-site scripting vulnerability in Xibo CMS allows authorized users to execute arbitrary JavaScript via the file preview function. Users can upload HTML/CSS/JS files into the Xibo Library via the Generic File module to be referenced on Displays and in Layouts. This is intended functionality. When previewing these resources from the Library and Layout editor they are executed in the users browser. This will be disabled in future releases, and users are encouraged to use the new developer tools in 4.1 to design their widgets which require this type of functionality. This behavior has been changed in 4.1.0 to preview previewing of generic files. There are no workarounds for this issue.
Severity CVSS v4.0: Pending analysis
Last modification:
12/09/2024

CVE-2023-49233
Publication date:
03/09/2024
Insufficient access checks in Visual Planning Admin Center 8 before v.1 Build 240207 allow attackers in possession of a non-administrative Visual Planning account to utilize functions normally reserved for administrators. The affected functions allow attackers to obtain different types of configured credentials and potentially elevate their privileges to administrator level.
Severity CVSS v4.0: Pending analysis
Last modification:
24/10/2024

CVE-2024-6119
Publication date:
03/09/2024
Issue summary: Applications performing certificate name checks (e.g., TLS<br /> clients checking server certificates) may attempt to read an invalid memory<br /> address resulting in abnormal termination of the application process.<br /> <br /> Impact summary: Abnormal termination of an application can a cause a denial of<br /> service.<br /> <br /> Applications performing certificate name checks (e.g., TLS clients checking<br /> server certificates) may attempt to read an invalid memory address when<br /> comparing the expected name with an `otherName` subject alternative name of an<br /> X.509 certificate. This may result in an exception that terminates the<br /> application program.<br /> <br /> Note that basic certificate chain validation (signatures, dates, ...) is not<br /> affected, the denial of service can occur only when the application also<br /> specifies an expected DNS name, Email address or IP address.<br /> <br /> TLS servers rarely solicit client certificates, and even when they do, they<br /> generally don&amp;#39;t perform a name check against a reference identifier (expected<br /> identity), but rather extract the presented identity after checking the<br /> certificate chain. So TLS servers are generally not affected and the severity<br /> of the issue is Moderate.<br /> <br /> The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.
Severity CVSS v4.0: Pending analysis
Last modification:
03/06/2025

CVE-2024-42991
Publication date:
03/09/2024
MCMS v5.4.1 has front-end file upload vulnerability which can lead to remote command execution.
Severity CVSS v4.0: Pending analysis
Last modification:
30/04/2025

CVE-2024-7654
Publication date:
03/09/2024
An ActiveMQ Discovery service was reachable by default from an OpenEdge Management installation when an OEE/OEM auto-discovery feature was activated.  Unauthorized access to the discovery service&amp;#39;s UDP port allowed content injection into parts of the OEM web interface making it possible for other types of attack that could spoof or deceive web interface users.   Unauthorized use of the OEE/OEM discovery service was remediated by deactivating the discovery service by default.
Severity CVSS v4.0: Pending analysis
Last modification:
05/09/2024
Subscribe to Vulnerabilities