Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-39317
Publication date:
11/07/2024
Wagtail is an open source content management system built on Django. A bug in Wagtail&amp;#39;s `parse_query_string` would result in it taking a long time to process suitably crafted inputs. When used to parse sufficiently long strings of characters without a space, `parse_query_string` would take an unexpectedly large amount of time to process, resulting in a denial of service. In an initial Wagtail installation, the vulnerability can be exploited by any Wagtail admin user. It cannot be exploited by end users. If your Wagtail site has a custom search implementation which uses `parse_query_string`, it may be exploitable by other users (e.g. unauthenticated users). Patched versions have been released as Wagtail 5.2.6, 6.0.6 and 6.1.3.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
19/09/2024

CVE-2024-39519
Publication date:
11/07/2024
An Improper Check for Unusual or Exceptional Conditions vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS Evolved on ACX7000 Series allows an unauthenticated, adjacent attacker to cause a <br /> <br /> Denial-of-Service (DoS).<br /> <br /> On all ACX 7000 Series platforms running <br /> <br /> Junos OS Evolved, and configured with IRBs, if a Customer Edge device (CE) device is dual homed to two Provider Edge devices (PE) a traffic loop will occur when the CE sends multicast packets. This issue can be triggered by IPv4 and IPv6 traffic.<br /> <br /> <br /> This issue affects Junos OS Evolved: <br /> <br /> All versions from 22.2R1-EVO and later versions before 22.4R2-EVO,<br /> <br /> This issue does not affect Junos OS Evolved versions before 22.1R1-EVO.
Severity CVSS v4.0: Pending analysis
Last modification:
23/09/2024

CVE-2024-39520
Publication date:
11/07/2024
An Improper Neutralization of Special Elements vulnerability in Juniper Networks Junos OS Evolved commands allows a local, authenticated attacker with low privileges to escalate their privileges to &amp;#39;root&amp;#39; leading to a full compromise of the system.<br /> <br /> The Junos OS Evolved CLI doesn&amp;#39;t properly handle command options in some cases, allowing users which execute specific CLI commands with a crafted set of parameters to escalate their privileges to root on shell level.<br /> <br /> This issue affects Junos OS Evolved:<br /> <br /> * All version before 20.4R3-S6-EVO, <br /> * 21.2-EVO versions before 21.2R3-S4-EVO,<br /> * 21.4-EVO versions before 21.4R3-S6-EVO, <br /> * 22.2-EVO versions before 22.2R2-S1-EVO, 22.2R3-EVO, <br /> * 22.3-EVO versions before 22.3R2-EVO.
Severity CVSS v4.0: Pending analysis
Last modification:
23/09/2024

CVE-2024-6679
Publication date:
11/07/2024
A vulnerability classified as critical has been found in witmy my-springsecurity-plus up to 2024-07-04. Affected is an unknown function of the file /api/role. The manipulation of the argument params.dataScope leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-271152.
Severity CVSS v4.0: MEDIUM
Last modification:
10/10/2025

CVE-2024-38534
Publication date:
11/07/2024
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Crafted modbus traffic can lead to unlimited resource accumulation within a flow. Upgrade to 7.0.6. Set a limited stream.reassembly.depth to reduce the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2024

CVE-2024-38535
Publication date:
11/07/2024
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Suricata can run out of memory when parsing crafted HTTP/2 traffic. Upgrade to 6.0.20 or 7.0.6.
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2024

CVE-2024-38536
Publication date:
11/07/2024
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. A memory allocation failure due to `http.memcap` being reached leads to a NULL-ptr reference leading to a crash. Upgrade to 7.0.6.
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2024

CVE-2024-28872
Publication date:
11/07/2024
The TLS certificate validation code is flawed. An attacker can obtain a TLS certificate from the Stork server and use it to connect to the Stork agent. Once this connection is established with the valid certificate, the attacker can send malicious commands to a monitored service (Kea or BIND 9), possibly resulting in confidential data loss and/or denial of service. It should be noted that this vulnerability is not related to BIND 9 or Kea directly, and only customers using the Stork management tool are potentially affected.<br /> This issue affects Stork versions 0.15.0 through 1.15.0.
Severity CVSS v4.0: Pending analysis
Last modification:
26/03/2025

CVE-2024-37151
Publication date:
11/07/2024
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. <br /> Mishandling of multiple fragmented packets using the same IP ID value can lead to packet reassembly failure, which can lead to policy bypass. Upgrade to 7.0.6 or 6.0.20. When using af-packet, enable `defrag` to reduce the scope of the problem.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2024-6035
Publication date:
11/07/2024
A Stored Cross-Site Scripting (XSS) vulnerability exists in gaizhenbiao/chuanhuchatgpt version 20240410. This vulnerability allows an attacker to inject malicious JavaScript code into the chat history file. When a victim uploads this file, the malicious script is executed in the victim&amp;#39;s browser. This can lead to user data theft, session hijacking, malware distribution, and phishing attacks.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2024

CVE-2024-6643
Publication date:
11/07/2024
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Severity CVSS v4.0: Pending analysis
Last modification:
11/07/2024

CVE-2024-6407
Publication date:
11/07/2024
CWE-200: Information Exposure vulnerability exists that could cause disclosure of<br /> credentials when a specially crafted message is sent to the device.
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2024
Subscribe to Vulnerabilities