Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-48509
Publication date:
21/10/2024
Learning with Texts (LWT) 2.0.3 is vulnerable to SQL Injection. This occurs when the application fails to properly sanitize user inputs, allowing attackers to manipulate SQL queries by injecting malicious SQL statements into URL parameters. By exploiting this vulnerability, an attacker could gain unauthorized access to the database, retrieve sensitive information, modify or delete data, and execute arbitrary commands.
Severity CVSS v4.0: Pending analysis
Last modification:
23/01/2025

CVE-2024-31007
Publication date:
21/10/2024
Buffer Overflow vulnerability in IrfanView 32bit v.4.66 allows a local attacker to cause a denial of service via a crafted file. Affected component is IrfanView 32bit 4.66 with plugin formats.dll.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2024-46326
Publication date:
21/10/2024
Public Knowledge Project pkp-lib 3.4.0-7 and earlier is vulnerable to Open redirect due to a lack of input sanitization in the logout function.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2022-49019
Publication date:
21/10/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: ethernet: nixge: fix NULL dereference<br /> <br /> In function nixge_hw_dma_bd_release() dereference of NULL pointer<br /> priv-&gt;rx_bd_v is possible for the case of its allocation failure in<br /> nixge_hw_dma_bd_init().<br /> <br /> Move for() loop with priv-&gt;rx_bd_v dereference under the check for<br /> its validity.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with SVACE.
Severity CVSS v4.0: Pending analysis
Last modification:
24/10/2024

CVE-2022-49020
Publication date:
21/10/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/9p: Fix a potential socket leak in p9_socket_open<br /> <br /> Both p9_fd_create_tcp() and p9_fd_create_unix() will call<br /> p9_socket_open(). If the creation of p9_trans_fd fails,<br /> p9_fd_create_tcp() and p9_fd_create_unix() will return an<br /> error directly instead of releasing the cscoket, which will<br /> result in a socket leak.<br /> <br /> This patch adds sock_release() to fix the leak issue.
Severity CVSS v4.0: Pending analysis
Last modification:
24/10/2024

CVE-2022-49021
Publication date:
21/10/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: phy: fix null-ptr-deref while probe() failed<br /> <br /> I got a null-ptr-deref report as following when doing fault injection test:<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000058<br /> Oops: 0000 [#1] PREEMPT SMP KASAN PTI<br /> CPU: 1 PID: 253 Comm: 507-spi-dm9051 Tainted: G B N 6.1.0-rc3+<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014<br /> RIP: 0010:klist_put+0x2d/0xd0<br /> Call Trace:<br /> <br /> klist_remove+0xf1/0x1c0<br /> device_release_driver_internal+0x23e/0x2d0<br /> bus_remove_device+0x1bd/0x240<br /> device_del+0x357/0x770<br /> phy_device_remove+0x11/0x30<br /> mdiobus_unregister+0xa5/0x140<br /> release_nodes+0x6a/0xa0<br /> devres_release_all+0xf8/0x150<br /> device_unbind_cleanup+0x19/0xd0<br /> <br /> //probe path:<br /> phy_device_register()<br /> device_add()<br /> <br /> phy_connect<br /> phy_attach_direct() //set device driver<br /> probe() //it&amp;#39;s failed, driver is not bound<br /> device_bind_driver() // probe failed, it&amp;#39;s not called<br /> <br /> //remove path:<br /> phy_device_remove()<br /> device_del()<br /> device_release_driver_internal()<br /> __device_release_driver() //dev-&gt;drv is not NULL<br /> klist_remove() driver&amp;#39;, probe() fails,<br /> device_bind_driver() is not called, so the knode_driver-&gt;n_klist is not<br /> set, then it causes null-ptr-deref in __device_release_driver() while<br /> deleting device. Fix this by setting dev-&gt;driver to NULL in the error<br /> path in phy_attach_direct().
Severity CVSS v4.0: Pending analysis
Last modification:
24/10/2024

CVE-2022-49022
Publication date:
21/10/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: mac8021: fix possible oob access in ieee80211_get_rate_duration<br /> <br /> Fix possible out-of-bound access in ieee80211_get_rate_duration routine<br /> as reported by the following UBSAN report:<br /> <br /> UBSAN: array-index-out-of-bounds in net/mac80211/airtime.c:455:47<br /> index 15 is out of range for type &amp;#39;u16 [12]&amp;#39;<br /> CPU: 2 PID: 217 Comm: kworker/u32:10 Not tainted 6.1.0-060100rc3-generic<br /> Hardware name: Acer Aspire TC-281/Aspire TC-281, BIOS R01-A2 07/18/2017<br /> Workqueue: mt76 mt76u_tx_status_data [mt76_usb]<br /> Call Trace:<br /> <br /> show_stack+0x4e/0x61<br /> dump_stack_lvl+0x4a/0x6f<br /> dump_stack+0x10/0x18<br /> ubsan_epilogue+0x9/0x43<br /> __ubsan_handle_out_of_bounds.cold+0x42/0x47<br /> ieee80211_get_rate_duration.constprop.0+0x22f/0x2a0 [mac80211]<br /> ? ieee80211_tx_status_ext+0x32e/0x640 [mac80211]<br /> ieee80211_calc_rx_airtime+0xda/0x120 [mac80211]<br /> ieee80211_calc_tx_airtime+0xb4/0x100 [mac80211]<br /> mt76x02_send_tx_status+0x266/0x480 [mt76x02_lib]<br /> mt76x02_tx_status_data+0x52/0x80 [mt76x02_lib]<br /> mt76u_tx_status_data+0x67/0xd0 [mt76_usb]<br /> process_one_work+0x225/0x400<br /> worker_thread+0x50/0x3e0<br /> ? process_one_work+0x400/0x400<br /> kthread+0xe9/0x110<br /> ? kthread_complete_and_exit+0x20/0x20<br /> ret_from_fork+0x22/0x30
Severity CVSS v4.0: Pending analysis
Last modification:
24/10/2024

CVE-2022-49023
Publication date:
21/10/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: cfg80211: fix buffer overflow in elem comparison<br /> <br /> For vendor elements, the code here assumes that 5 octets<br /> are present without checking. Since the element itself is<br /> already checked to fit, we only need to check the length.
Severity CVSS v4.0: Pending analysis
Last modification:
24/10/2024

CVE-2022-49024
Publication date:
21/10/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> can: m_can: pci: add missing m_can_class_free_dev() in probe/remove methods<br /> <br /> In m_can_pci_remove() and error handling path of m_can_pci_probe(),<br /> m_can_class_free_dev() should be called to free resource allocated by<br /> m_can_class_allocate_dev(), otherwise there will be memleak.
Severity CVSS v4.0: Pending analysis
Last modification:
24/10/2024

CVE-2022-49025
Publication date:
21/10/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/mlx5e: Fix use-after-free when reverting termination table<br /> <br /> When having multiple dests with termination tables and second one<br /> or afterwards fails the driver reverts usage of term tables but<br /> doesn&amp;#39;t reset the assignment in attr-&gt;dests[num_vport_dests].termtbl<br /> which case a use-after-free when releasing the rule.<br /> Fix by resetting the assignment of termtbl to null.
Severity CVSS v4.0: Pending analysis
Last modification:
24/10/2024

CVE-2022-49026
Publication date:
21/10/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> e100: Fix possible use after free in e100_xmit_prepare<br /> <br /> In e100_xmit_prepare(), if we can&amp;#39;t map the skb, then return -ENOMEM, so<br /> e100_xmit_frame() will return NETDEV_TX_BUSY and the upper layer will<br /> resend the skb. But the skb is already freed, which will cause UAF bug<br /> when the upper layer resends the skb.<br /> <br /> Remove the harmful free.
Severity CVSS v4.0: Pending analysis
Last modification:
24/10/2024

CVE-2022-49027
Publication date:
21/10/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iavf: Fix error handling in iavf_init_module()<br /> <br /> The iavf_init_module() won&amp;#39;t destroy workqueue when pci_register_driver()<br /> failed. Call destroy_workqueue() when pci_register_driver() failed to<br /> prevent the resource leak.<br /> <br /> Similar to the handling of u132_hcd_init in commit f276e002793c<br /> ("usb: u132-hcd: fix resource leak")
Severity CVSS v4.0: Pending analysis
Last modification:
24/10/2024
Subscribe to Vulnerabilities