Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-37762
Publication date:
01/07/2024
MachForm up to version 21 is affected by an authenticated unrestricted file upload which leads to a remote code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
30/04/2025

CVE-2024-38367
Publication date:
01/07/2024
trunk.cocoapods.org is the authentication server for the CoacoaPods dependency manager. Prior to commit d4fa66f49cedab449af9a56a21ab40697b9f7b97, the trunk sessions verification step could be manipulated for owner session hijacking Compromising a victim’s session will result in a full takeover of the CocoaPods trunk account. The threat actor could manipulate their pod specifications, disrupt the distribution of legitimate libraries, or cause widespread disruption within the CocoaPods ecosystem. This was patched server-side with commit d4fa66f49cedab449af9a56a21ab40697b9f7b97 in October 2023.
Severity CVSS v4.0: Pending analysis
Last modification:
18/09/2024

CVE-2024-38368
Publication date:
01/07/2024
trunk.cocoapods.org is the authentication server for the CoacoaPods dependency manager. A vulnerability affected older pods which migrated from the pre-2014 pull request workflow to trunk. If the pods had never been claimed then it was still possible to do so. It was also possible to have all owners removed from a pod, and that made the pod available for the same claiming system. This was patched server-side in commit 71be5440906b6bdfbc0bcc7f8a9fec33367ea0f4 in September 2023.
Severity CVSS v4.0: Pending analysis
Last modification:
18/09/2024

CVE-2024-39305
Publication date:
01/07/2024
Envoy is a cloud-native, open source edge and service proxy. Prior to versions 1.30.4, 1.29.7, 1.28.5, and 1.27.7. Envoy references already freed memory when route hash policy is configured with cookie attributes. Note that this vulnerability has been fixed in the open as the effect would be immediately apparent if it was configured. Memory allocated for holding attribute values is freed after configuration was parsed. During request processing Envoy will attempt to copy content of de-allocated memory into request cookie header. This can lead to arbitrary content of Envoy's memory to be sent to the upstream service or abnormal process termination. This vulnerability is fixed in Envoy versions v1.30.4, v1.29.7, v1.28.5, and v1.27.7. As a workaround, do not use cookie attributes in route action hash policy.
Severity CVSS v4.0: Pending analysis
Last modification:
02/09/2025

CVE-2024-5322
Publication date:
01/07/2024
The N-central server is vulnerable to session rebinding of already authenticated users when using Entra SSO, which can lead to authentication bypass.<br /> <br /> This vulnerability is present in all Entra-supported deployments of N-central prior to 2024.3.
Severity CVSS v4.0: Pending analysis
Last modification:
08/09/2025

CVE-2024-28200
Publication date:
01/07/2024
The N-central server is vulnerable to an authentication bypass of the user interface. This vulnerability is present in all deployments of N-central prior to 2024.2.<br /> <br /> This vulnerability was discovered through internal N-central source code review and N-able has not observed any exploitation in the wild.
Severity CVSS v4.0: Pending analysis
Last modification:
22/08/2024

CVE-2024-32228
Publication date:
01/07/2024
FFmpeg 7.0 is vulnerable to Buffer Overflow. There is a SEGV at libavcodec/hevcdec.c:2947:22 in hevc_frame_end.
Severity CVSS v4.0: Pending analysis
Last modification:
03/06/2025

CVE-2024-32229
Publication date:
01/07/2024
FFmpeg 7.0 contains a heap-buffer-overflow at libavfilter/vf_tiltandshift.c:189:5 in copy_column.
Severity CVSS v4.0: Pending analysis
Last modification:
03/06/2025

CVE-2024-32230
Publication date:
01/07/2024
FFmpeg 7.0 is vulnerable to Buffer Overflow. There is a negative-size-param bug at libavcodec/mpegvideo_enc.c:1216:21 in load_input_picture in FFmpeg7.0
Severity CVSS v4.0: Pending analysis
Last modification:
14/03/2025

CVE-2024-38366
Publication date:
01/07/2024
trunk.cocoapods.org is the authentication server for the CoacoaPods dependency manager. The part of trunk which verifies whether a user has a real email address on signup used a rfc-822 library which executes a shell command to validate the email domain MX records validity. It works via an DNS MX. This lookup could be manipulated to also execute a command on the trunk server, effectively giving root access to the server and the infrastructure. This issue was patched server-side with commit 001cc3a430e75a16307f5fd6cdff1363ad2f40f3 in September 2023. This RCE triggered a full user-session reset, as an attacker could have used this method to write to any Podspec in trunk.
Severity CVSS v4.0: Pending analysis
Last modification:
18/09/2024

CVE-2024-39249
Publication date:
01/07/2024
Async
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2024

CVE-2024-38513
Publication date:
01/07/2024
Fiber is an Express-inspired web framework written in Go A vulnerability present in versions prior to 2.52.5 is a session middleware issue in GoFiber versions 2 and above. This vulnerability allows users to supply their own session_id value, resulting in the creation of a session with that key. If a website relies on the mere presence of a session for security purposes, this can lead to significant security risks, including unauthorized access and session fixation attacks. All users utilizing GoFiber&amp;#39;s session middleware in the affected versions are impacted. The issue has been addressed in version 2.52.5. Users are strongly encouraged to upgrade to version 2.52.5 or higher to mitigate this vulnerability. Users who are unable to upgrade immediately can apply the following workarounds to reduce the risk: Either implement additional validation to ensure session IDs are not supplied by the user and are securely generated by the server, or regularly rotate session IDs and enforce strict session expiration policies.
Severity CVSS v4.0: Pending analysis
Last modification:
02/10/2025
Subscribe to Vulnerabilities