Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-42490

Publication date:

22/08/2024

authentik is an open-source Identity Provider. Several API endpoints can be accessed by users without correct authentication/authorization. The main API endpoints affected by this are /api/v3/crypto/certificatekeypairs//view_certificate/, /api/v3/crypto/certificatekeypairs//view_private_key/, and /api/v3/.../used_by/. Note that all of the affected API endpoints require the knowledge of the ID of an object, which especially for certificates is not accessible to an unprivileged user. Additionally the IDs for most objects are UUIDv4, meaning they are not easily guessable/enumerable. authentik 2024.4.4, 2024.6.4 and 2024.8.0 fix this issue.

Severity CVSS v4.0: Pending analysis

Last modification:

21/08/2025

CVE-2024-42497

Publication date:

22/08/2024

Mattermost versions 9.9.x

Severity CVSS v4.0: Pending analysis

Last modification:

16/10/2024

CVE-2024-42769

Publication date:

22/08/2024

A Reflected Cross Site Scripting (XSS) vulnerability was found in "/core/signup_user.php " of Kashipara Hotel Management System v1.0, which allows remote attackers to execute arbitrary code via "user_fname" and "user_lname" parameters.

Severity CVSS v4.0: Pending analysis

Last modification:

30/04/2025

CVE-2024-42771

Publication date:

22/08/2024

A Stored Cross Site Scripting (XSS) vulnerability was found in " /admin/edit_room_controller.php" of the Kashipara Hotel Management System v1.0, which allows remote attackers to execute arbitrary code via "room_name" parameter.

Severity CVSS v4.0: Pending analysis

Last modification:

30/04/2025

CVE-2024-43780

Publication date:

22/08/2024

Mattermost versions 9.9.x

Severity CVSS v4.0: Pending analysis

Last modification:

16/10/2024

CVE-2024-42770

Publication date:

22/08/2024

A Stored Cross Site Scripting (XSS) vulnerability was found in "/core/signup_user.php" of Kashipara Hotel Management System v1.0, which allows remote attackers to execute arbitrary code via the "user_email" parameter.

Severity CVSS v4.0: Pending analysis

Last modification:

30/04/2025

CVE-2024-36441

Publication date:

22/08/2024

Swissphone DiCal-RED 4009 devices allow an unauthenticated attacker use a port-2101 TCP connection to gain access to operation messages that are received by the device.

Severity CVSS v4.0: Pending analysis

Last modification:

23/08/2024

CVE-2024-3127

Publication date:

22/08/2024

An issue has been discovered in GitLab EE affecting all versions starting from 12.5 before 17.1.6, all versions starting from 17.2 before 17.2.4, all versions starting from 17.3 before 17.3.1. Under certain conditions it may be possible to bypass the IP restriction for groups through GraphQL allowing unauthorised users to perform some actions at the group level.

Severity CVSS v4.0: Pending analysis

Last modification:

13/12/2024

CVE-2024-40884

Publication date:

22/08/2024

Mattermost versions 9.5.x

Severity CVSS v4.0: Pending analysis

Last modification:

17/10/2024

CVE-2023-6452

Publication date:

22/08/2024

Improper Neutralization of Input During Web Page Generation (&#39;Cross-site Scripting&#39;) vulnerability in Forcepoint Web Security (Transaction Viewer) allows Stored XSS. The Forcepoint Web Security portal allows administrators to generate detailed reports on user requests made through the Web proxy. It has been determined that the "user agent" field in the Transaction Viewer is vulnerable to a persistent Cross-Site Scripting (XSS) vulnerability, which can be exploited by any user who can route traffic through the Forcepoint Web proxy. This vulnerability enables unauthorized attackers to execute JavaScript within the browser context of a Forcepoint administrator, thereby allowing them to perform actions on the administrator&#39;s behalf. Such a breach could lead to unauthorized access or modifications, posing a significant security risk. This issue affects Web Security: before 8.5.6.

Severity CVSS v4.0: Pending analysis

Last modification:

23/08/2024

CVE-2024-36442

Publication date:

22/08/2024

cgi-bin/fdmcgiwebv2.cgi on Swissphone DiCal-RED 4009 devices allows an authenticated attacker to gain access to arbitrary files on the device&#39;s file system.

Severity CVSS v4.0: Pending analysis

Last modification:

23/08/2024