Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-45168
Publication date:
10/06/2024
An issue was discovered in LIVEBOX Collaboration vDesk through v018. A Bypass of Two-Factor Authentication can occur under the /login/backup_code endpoint and the /api/v1/vdeskintegration/createbackupcodes endpoint, because the application allows a user to generate or regenerate the backup codes before checking the TOTP.
Severity CVSS v4.0: Pending analysis
Last modification:
20/03/2025

CVE-2022-45176
Publication date:
10/06/2024
An issue was discovered in LIVEBOX Collaboration vDesk through v018. Stored Cross-site Scripting (XSS) can occur under the /api/v1/getbodyfile endpoint via the uri parameter. The web application (through its vShare functionality section) doesn't properly check parameters, sent in HTTP requests as input, before saving them on the server. In addition, crafted JavaScript content can then be reflected back to the end user and executed by the web browser.
Severity CVSS v4.0: Pending analysis
Last modification:
19/08/2024

CVE-2024-5785
Publication date:
10/06/2024
Command injection vulnerability in Comtrend router WLD71-T1_v2.0.201820, affecting the GRG-4280us version. This vulnerability could allow an authenticated user to execute commands inside the router by making a POST request to the URL “/boaform/admin/formUserTracert”.
Severity CVSS v4.0: Pending analysis
Last modification:
10/06/2024

CVE-2024-5786
Publication date:
10/06/2024
Cross-Site Request Forgery vulnerability in Comtrend router WLD71-T1_v2.0.201820, affecting the GRG-4280us version. This vulnerability allows an attacker to force an end user to execute unwanted actions in a web application to which he is authenticated.
Severity CVSS v4.0: Pending analysis
Last modification:
10/06/2024

CVE-2024-36405
Publication date:
10/06/2024
liboqs is a C-language cryptographic library that provides implementations of post-quantum cryptography algorithms. A control-flow timing lean has been identified in the reference implementation of the Kyber key encapsulation mechanism when it is compiled with Clang 15-18 for `-Os`, `-O1`, and other compilation options. A proof-of-concept local attack on the reference implementation leaks the entire ML-KEM 512 secret key in ~10 minutes using end-to-end decapsulation timing measurements. The issue has been fixed in version 0.10.1. As a possible workaround, some compiler options may produce vectorized code that does not leak secret information, however relying on these compiler options as a workaround may not be reliable.
Severity CVSS v4.0: Pending analysis
Last modification:
20/08/2025

CVE-2024-3699
Publication date:
10/06/2024
Use of hard-coded password to the patients' database allows an attacker to retrieve sensitive data stored in the database. The password is the same among all drEryk Gabinet installations.This issue affects drEryk Gabinet software versions from 7.0.0.0 through 9.17.0.0.
Severity CVSS v4.0: CRITICAL
Last modification:
03/10/2025

CVE-2024-3700
Publication date:
10/06/2024
Use of hard-coded password to the patients&amp;#39; database allows an attacker to retrieve sensitive data stored in the database. The password is the same among all Simple Care software installations.<br /> <br /> This issue affects Estomed Sp. z o.o. Simple Care software in all versions. The software is no longer supported.
Severity CVSS v4.0: CRITICAL
Last modification:
03/10/2025

CVE-2024-28833
Publication date:
10/06/2024
Improper restriction of excessive authentication attempts with two factor authentication methods in Checkmk 2.3 before 2.3.0p6 facilitates brute-forcing of second factor mechanisms.
Severity CVSS v4.0: Pending analysis
Last modification:
23/07/2024

CVE-2024-1228
Publication date:
10/06/2024
Use of hard-coded password to the patients&amp;#39; database allows an attacker to retrieve sensitive data stored in the database. The password is the same among all Eurosoft Przychodnia installations.<br /> <br /> This issue affects Eurosoft Przychodnia software before version 20240417.001 (from that version vulnerability is fixed).
Severity CVSS v4.0: CRITICAL
Last modification:
03/10/2025

CVE-2024-36971
Publication date:
10/06/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: fix __dst_negative_advice() race<br /> <br /> __dst_negative_advice() does not enforce proper RCU rules when<br /> sk-&gt;dst_cache must be cleared, leading to possible UAF.<br /> <br /> RCU rules are that we must first clear sk-&gt;sk_dst_cache,<br /> then call dst_release(old_dst).<br /> <br /> Note that sk_dst_reset(sk) is implementing this protocol correctly,<br /> while __dst_negative_advice() uses the wrong order.<br /> <br /> Given that ip6_negative_advice() has special logic<br /> against RTF_CACHE, this means each of the three -&gt;negative_advice()<br /> existing methods must perform the sk_dst_reset() themselves.<br /> <br /> Note the check against NULL dst is centralized in<br /> __dst_negative_advice(), there is no need to duplicate<br /> it in various callbacks.<br /> <br /> Many thanks to Clement Lecigne for tracking this issue.<br /> <br /> This old bug became visible after the blamed commit, using UDP sockets.
Severity CVSS v4.0: Pending analysis
Last modification:
05/11/2025

CVE-2024-4745
Publication date:
10/06/2024
Missing Authorization vulnerability in RafflePress Giveaways and Contests by RafflePress.This issue affects Giveaways and Contests by RafflePress: from n/a through 1.12.4.
Severity CVSS v4.0: Pending analysis
Last modification:
12/06/2024

CVE-2024-4746
Publication date:
10/06/2024
Missing Authorization vulnerability in Netgsm.This issue affects Netgsm: from n/a through 2.9.16.
Severity CVSS v4.0: Pending analysis
Last modification:
12/06/2024
Subscribe to Vulnerabilities