Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-36018
Publication date:
30/05/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nouveau/uvmm: fix addr/range calcs for remap operations<br /> <br /> dEQP-VK.sparse_resources.image_rebind.2d_array.r64i.128_128_8<br /> was causing a remap operation like the below.<br /> <br /> op_remap: prev: 0000003fffed0000 00000000000f0000 00000000a5abd18a 0000000000000000<br /> op_remap: next:<br /> op_remap: unmap: 0000003fffed0000 0000000000100000 0<br /> op_map: map: 0000003ffffc0000 0000000000010000 000000005b1ba33c 00000000000e0000<br /> <br /> This was resulting in an unmap operation from 0x3fffed0000+0xf0000, 0x100000<br /> which was corrupting the pagetables and oopsing the kernel.<br /> <br /> Fixes the prev + unmap range calcs to use start/end and map back to addr/range.
Severity CVSS v4.0: Pending analysis
Last modification:
30/09/2025

CVE-2024-5516
Publication date:
30/05/2024
A vulnerability was found in itsourcecode Online Blood Bank Management System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file massage.php. The manipulation of the argument bid leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-266587.
Severity CVSS v4.0: MEDIUM
Last modification:
11/02/2025

CVE-2024-5515
Publication date:
30/05/2024
A vulnerability was found in SourceCodester Stock Management System 1.0. It has been classified as critical. Affected is an unknown function of the file createBrand.php. The manipulation of the argument brandName leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-266586 is the identifier assigned to this vulnerability.
Severity CVSS v4.0: MEDIUM
Last modification:
10/02/2025

CVE-2024-3584
Publication date:
30/05/2024
qdrant/qdrant version 1.9.0-dev is vulnerable to path traversal due to improper input validation in the `/collections/{name}/snapshots/upload` endpoint. By manipulating the `name` parameter through URL encoding, an attacker can upload a file to an arbitrary location on the system, such as `/root/poc.txt`. This vulnerability allows for the writing and overwriting of arbitrary files on the server, potentially leading to a full takeover of the system. The issue is fixed in version 1.9.0.
Severity CVSS v4.0: Pending analysis
Last modification:
10/07/2025

CVE-2024-36017
Publication date:
30/05/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rtnetlink: Correct nested IFLA_VF_VLAN_LIST attribute validation<br /> <br /> Each attribute inside a nested IFLA_VF_VLAN_LIST is assumed to be a<br /> struct ifla_vf_vlan_info so the size of such attribute needs to be at least<br /> of sizeof(struct ifla_vf_vlan_info) which is 14 bytes.<br /> The current size validation in do_setvfinfo is against NLA_HDRLEN (4 bytes)<br /> which is less than sizeof(struct ifla_vf_vlan_info) so this validation<br /> is not enough and a too small attribute might be cast to a<br /> struct ifla_vf_vlan_info, this might result in an out of bands<br /> read access when accessing the saved (casted) entry in ivvl.
Severity CVSS v4.0: Pending analysis
Last modification:
17/12/2025

CVE-2024-5521
Publication date:
30/05/2024
Two Cross-Site Scripting vulnerabilities have been discovered in Alkacon&amp;#39;s OpenCMS affecting version 16, which could allow a user having the roles of gallery editor or VFS resource manager will have the permission to upload images in the .svg format containing JavaScript code. The code will be executed the moment another user accesses the image.
Severity CVSS v4.0: Pending analysis
Last modification:
10/04/2025

CVE-2022-43841
Publication date:
30/05/2024
IBM Aspera Console 3.4.0 through 3.4.2 PL9 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 239078.
Severity CVSS v4.0: Pending analysis
Last modification:
08/01/2025

CVE-2024-1100
Publication date:
30/05/2024
Improper Neutralization of Special Elements used in an SQL Command (&amp;#39;SQL Injection&amp;#39;) vulnerability in Vadi Corporate Information Systems DIGIKENT GIS allows SQL Injection.This issue affects DIGIKENT GIS: through 2.23.5.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2024

CVE-2024-5520
Publication date:
30/05/2024
Two Cross-Site Scripting vulnerabilities have been discovered in Alkacon&amp;#39;s OpenCMS affecting version 16, which could allow a user with sufficient privileges to create and modify web pages through the admin panel, can execute malicious JavaScript code, after inserting code in the “title” field.
Severity CVSS v4.0: Pending analysis
Last modification:
23/04/2025

CVE-2022-43384
Publication date:
30/05/2024
IBM Aspera Console 3.4.0 through 3.4.2 PL5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 238645.
Severity CVSS v4.0: Pending analysis
Last modification:
08/01/2025

CVE-2022-43575
Publication date:
30/05/2024
IBM Aspera Console 3.4.0 through 3.4.2 PL5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 238645.
Severity CVSS v4.0: Pending analysis
Last modification:
08/01/2025

CVE-2024-3583
Publication date:
30/05/2024
The Simple Like Page Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin&amp;#39;s shortcode(s) in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
30/05/2024
Subscribe to Vulnerabilities