Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-6461
Publication date:
03/07/2024
Rejected reason: **REJECT** This is a duplicate CVE issued in error on a framework vulnerability. Please use CVE-2024-5324 instead.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2024

CVE-2024-6463
Publication date:
03/07/2024
Rejected reason: **REJECT** This is a duplicate CVE issued in error on a framework vulnerability. Please use CVE-2024-5324 instead.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2024

CVE-2024-6464
Publication date:
03/07/2024
Rejected reason: **REJECT** This is a duplicate CVE issued in error on a framework vulnerability. Please use CVE-2024-5324 instead.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2024

CVE-2024-39683
Publication date:
03/07/2024
ZITADEL is an open-source identity infrastructure tool. ZITADEL provides users the ability to list all user sessions of the current user agent (browser). Starting in version 2.53.0 and prior to versions 2.53.8, 2.54.5, and 2.55.1, due to a missing check, user sessions without that information (e.g. when created though the session service) were incorrectly listed exposing potentially other user's sessions. Versions 2.55.1, 2.54.5, and 2.53.8 contain a fix for the issue. There is no workaround since a patch is already available.
Severity CVSS v4.0: Pending analysis
Last modification:
08/01/2025

CVE-2024-36122
Publication date:
03/07/2024
Discourse is an open-source discussion platform. Prior to version 3.2.3 on the `stable` branch and version 3.3.0.beta4 on the `beta` and `tests-passed` branches, moderators using the review queue to review users may see a users email address even when the Allow moderators to view email addresses setting is disabled. This issue is patched in version 3.2.3 on the `stable` branch and version 3.3.0.beta4 on the `beta` and `tests-passed` branches. As possible workarounds, either prevent moderators from accessing the review queue or disable the approve suspect users site setting and the must approve users site setting to prevent users from being added to the review queue.
Severity CVSS v4.0: Pending analysis
Last modification:
18/09/2024

CVE-2024-37157
Publication date:
03/07/2024
Discourse is an open-source discussion platform. Prior to version 3.2.3 on the `stable` branch and version 3.3.0.beta4 on the `beta` and `tests-passed` branches, a malicious actor could get the FastImage library to redirect requests to an internal Discourse IP. This issue is patched in version 3.2.3 on the `stable` branch and version 3.3.0.beta4 on the `beta` and `tests-passed` branches. No known workarounds are available.
Severity CVSS v4.0: Pending analysis
Last modification:
18/09/2024

CVE-2024-34750
Publication date:
03/07/2024
Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed.<br /> <br /> This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89.<br /> <br /> The following versions were EOL at the time the CVE was created but are <br /> known to be affected: 8.5.0 though 8.5.100. Other EOL versions may also be affected.<br /> <br /> <br /> Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2024-6488
Publication date:
03/07/2024
Rejected reason: This is REJECTED.
Severity CVSS v4.0: Pending analysis
Last modification:
04/07/2024

CVE-2024-35234
Publication date:
03/07/2024
Discourse is an open-source discussion platform. Prior to version 3.2.3 on the `stable` branch and version 3.3.0.beta3 on the `tests-passed` branch, an attacker can execute arbitrary JavaScript on users’ browsers by posting a specific URL containing maliciously crafted meta tags. This issue only affects sites with Content Security Polic (CSP) disabled. The problem has been patched in version 3.2.3 on the `stable` branch and version 3.3.0.beta3 on the `tests-passed` branch. As a workaround, ensure CSP is enabled on the forum.
Severity CVSS v4.0: Pending analysis
Last modification:
18/09/2024

CVE-2024-36113
Publication date:
03/07/2024
Discourse is an open-source discussion platform. Prior to version 3.2.3 on the `stable` branch, version 3.3.0.beta3 on the `beta` branch, and version 3.3.0.beta4-dev on the `tests-passed` branch, a rogue staff user could suspend other staff users preventing them from logging in to the site. The issue is patched in version 3.2.3 on the `stable` branch, version 3.3.0.beta3 on the `beta` branch, and version 3.3.0.beta4-dev on the `tests-passed` branch. No known workarounds are available.
Severity CVSS v4.0: Pending analysis
Last modification:
18/09/2024

CVE-2024-29507
Publication date:
03/07/2024
Artifex Ghostscript before 10.03.0 sometimes has a stack-based buffer overflow via the CIDFSubstPath and CIDFSubstFont parameters.
Severity CVSS v4.0: Pending analysis
Last modification:
28/04/2025

CVE-2024-29510
Publication date:
03/07/2024
Artifex Ghostscript before 10.03.1 allows memory corruption, and SAFER sandbox bypass, via format string injection with a uniprint device.
Severity CVSS v4.0: Pending analysis
Last modification:
28/04/2025
Subscribe to Vulnerabilities