Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-39302
Publication date:
28/06/2024
BigBlueButton is an open-source virtual classroom designed to help teachers teach and learners learn. An attacker may be able to exploit the overly elevated file permissions in the `/usr/local/bigbluebutton/core/vendor/bundle/ruby/2.7.0/gems/resque-2.6.0` directory with the goal of privilege escalation, potentially exposing sensitive information on the server. This issue has been patched in version(s) 2.6.18, 2.7.8 and 3.0.0-alpha.7.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
01/07/2024

CVE-2024-39307
Publication date:
28/06/2024
Kavita is a cross platform reading server. Opening an ebook with malicious scripts inside leads to code execution inside the browsing context. Kavita doesn&amp;#39;t sanitize or sandbox the contents of epubs, allowing scripts inside ebooks to execute. This vulnerability was patched in version 0.8.1.
Severity CVSS v4.0: Pending analysis
Last modification:
01/07/2024

CVE-2024-29040
Publication date:
28/06/2024
This repository hosts source code implementing the Trusted Computing Group&amp;#39;s (TCG) TPM2 Software Stack (TSS). The JSON Quote Info returned by Fapi_Quote has to be deserialized by Fapi_VerifyQuote to the TPM Structure `TPMS_ATTEST`. For the field `TPM2_GENERATED magic` of this structure any number can be used in the JSON structure. The verifier can receive a state which does not represent the actual, possibly malicious state of the device under test. The malicious device might get access to data it shouldn&amp;#39;t, or can use services it shouldn&amp;#39;t be able to. This <br /> issue has been patched in version 4.1.0.
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2025

CVE-2024-5827
Publication date:
28/06/2024
Vanna v0.3.4 is vulnerable to SQL injection in its DuckDB integration exposed to its Flask Web APIs. Attackers can inject malicious SQL training data and generate corresponding queries to write arbitrary files on the victim&amp;#39;s file system, such as backdoor.php with contents ``. This can lead to command execution or the creation of backdoors.
Severity CVSS v4.0: Pending analysis
Last modification:
15/10/2025

CVE-2024-38528
Publication date:
28/06/2024
nptd-rs is a tool for synchronizing your computer&amp;#39;s clock, implementing the NTP and NTS protocols. There is a missing limit for accepted NTS-KE connections. This allows an unauthenticated remote attacker to crash ntpd-rs when an NTS-KE server is configured. Non NTS-KE server configurations, such as the default ntpd-rs configuration, are unaffected. This vulnerability has been patched in version 1.1.3.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
01/07/2024

CVE-2024-3995
Publication date:
28/06/2024
In Helix ALM versions prior to 2024.2.0, a local command injection was identified. Reported by Bryan Riggins.
Severity CVSS v4.0: Pending analysis
Last modification:
01/07/2024

CVE-2024-5712
Publication date:
28/06/2024
A Cross-Site Request Forgery (CSRF) vulnerability was identified in the stitionai/devika application, affecting the latest version. This vulnerability allows attackers to perform unauthorized actions in the context of a victim&amp;#39;s browser, such as deleting projects or changing application settings, without any CSRF protection implemented. Successful exploitation disrupts the integrity and availability of the application and its data.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2025

CVE-2024-5972
Publication date:
28/06/2024
Rejected reason: CVE ID issued in error. This is not a valid vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
28/06/2024

CVE-2024-38322
Publication date:
28/06/2024
IBM Storage Defender - Resiliency Service 2.0.0 through 2.0.4 agent username and password error response discrepancy exposes product to brute force enumeration. IBM X-Force ID: 294869.
Severity CVSS v4.0: Pending analysis
Last modification:
20/08/2024

CVE-2024-38514
Publication date:
28/06/2024
NextChat is a cross-platform ChatGPT/Gemini UI. There is a Server-Side Request Forgery (SSRF) vulnerability due to a lack of validation of the `endpoint` GET parameter on the WebDav API endpoint. This SSRF can be used to perform arbitrary HTTPS request from the vulnerable instance (MKCOL, PUT and GET methods supported), or to target NextChat users and make them execute arbitrary JavaScript code in their browser. This vulnerability has been patched in version 2.12.4.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
01/07/2024

CVE-2024-27628
Publication date:
28/06/2024
Buffer Overflow vulnerability in DCMTK v.3.6.8 allows an attacker to execute arbitrary code via the EctEnhancedCT method component.
Severity CVSS v4.0: Pending analysis
Last modification:
11/06/2025

CVE-2024-27629
Publication date:
28/06/2024
An issue in dc2niix before v.1.0.20240202 allows a local attacker to execute arbitrary code via the generated file name is not properly escaped and injected into a system call when certain types of compression are used.
Severity CVSS v4.0: Pending analysis
Last modification:
01/08/2024
Subscribe to Vulnerabilities