Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-26816
Publication date:
10/04/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> x86, relocs: Ignore relocations in .notes section<br /> <br /> When building with CONFIG_XEN_PV=y, .text symbols are emitted into<br /> the .notes section so that Xen can find the "startup_xen" entry point.<br /> This information is used prior to booting the kernel, so relocations<br /> are not useful. In fact, performing relocations against the .notes<br /> section means that the KASLR base is exposed since /sys/kernel/notes<br /> is world-readable.<br /> <br /> To avoid leaking the KASLR base without breaking unprivileged tools that<br /> are expecting to read /sys/kernel/notes, skip performing relocations in<br /> the .notes section. The values readable in .notes are then identical to<br /> those found in System.map.
Severity CVSS v4.0: Pending analysis
Last modification:
27/03/2025

CVE-2024-2730
Publication date:
10/04/2024
Mautic uses predictable page indices for unpublished landing pages, their content can be accessed by unauthenticated users under public preview URLs which could expose sensitive data. At the time of publication of the CVE no patch is available <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
10/04/2024

CVE-2024-2731
Publication date:
10/04/2024
Users with low privileges (all permissions deselected in the administrator permissions settings) can view certain pages that expose sensitive information such as company names, users&amp;#39; names and surnames, stage names, and monitoring campaigns and their descriptions. In addition, unprivileged users can see and edit the descriptions of tags. At the time of publication of the CVE no patch is available.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
10/04/2024

CVE-2024-3448
Publication date:
10/04/2024
Users with low privileges can perform certain AJAX actions. In this vulnerability instance, improper access to ajax?action=plugin:focus:checkIframeAvailability leads to a Server-Side Request Forgery by analyzing the error messages returned from the back-end. Allowing an attacker to perform a port scan in the back-end. At the time of publication of the CVE no patch is available.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
10/04/2024

CVE-2024-20770
Publication date:
10/04/2024
Photoshop Desktop versions 24.7.2, 25.3.1 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Severity CVSS v4.0: Pending analysis
Last modification:
05/12/2024

CVE-2024-20772
Publication date:
10/04/2024
Media Encoder versions 24.2.1, 23.6.4 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Severity CVSS v4.0: Pending analysis
Last modification:
05/12/2024

CVE-2024-23080
Publication date:
10/04/2024
Joda Time v2.12.5 was discovered to contain a NullPointerException via the component org.joda.time.format.PeriodFormat::wordBased(Locale). NOTE: this is disputed by multiple third parties who believe there was not reasonable evidence to determine the existence of a vulnerability. The submission may have been based on a tool that is not sufficiently robust for vulnerability identification.
Severity CVSS v4.0: Pending analysis
Last modification:
27/08/2024

CVE-2024-31492
Publication date:
10/04/2024
An external control of file name or path vulnerability [CWE-73] in FortiClientMac version 7.2.3 and below, version 7.0.10 and below installer may allow a local attacker to execute arbitrary code or commands via writing a malicious configuration file in /tmp before starting the installation process.
Severity CVSS v4.0: Pending analysis
Last modification:
23/01/2025

CVE-2024-31924
Publication date:
10/04/2024
Cross-Site Request Forgery (CSRF) vulnerability in Exactly WWW EWWW Image Optimizer.This issue affects EWWW Image Optimizer: from n/a through 7.2.3.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
10/04/2024

CVE-2024-20766
Publication date:
10/04/2024
InDesign Desktop versions 18.5.1, 19.2 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Severity CVSS v4.0: Pending analysis
Last modification:
05/12/2024

CVE-2024-23076
Publication date:
10/04/2024
JFreeChart v1.5.4 was discovered to contain a NullPointerException via the component /labels/BubbleXYItemLabelGenerator.java. NOTE: this is disputed by multiple third parties who believe there was not reasonable evidence to determine the existence of a vulnerability. The submission may have been based on a tool that is not sufficiently robust for vulnerability identification.
Severity CVSS v4.0: Pending analysis
Last modification:
27/05/2025

CVE-2024-31309
Publication date:
10/04/2024
HTTP/2 CONTINUATION DoS attack can cause Apache Traffic Server to consume more resources on the server.  Version from 8.0.0 through 8.1.9, from 9.0.0 through 9.2.3 are affected.<br /> <br /> Users can set a new setting (proxy.config.http2.max_continuation_frames_per_minute) to limit the number of CONTINUATION frames per minute.  ATS does have a fixed amount of memory a request can use and ATS adheres to these limits in previous releases.<br /> Users are recommended to upgrade to versions 8.1.10 or 9.2.4 which fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2025
Subscribe to Vulnerabilities