Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-6700
Publication date:
12/09/2024
Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an XSS issue with App name.
Severity CVSS v4.0: Pending analysis
Last modification:
13/09/2024

CVE-2024-6701
Publication date:
12/09/2024
Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an XSS issue with case type.
Severity CVSS v4.0: Pending analysis
Last modification:
13/09/2024

CVE-2024-45826
Publication date:
12/09/2024
CVE-2024-45826 IMPACT<br /> Due to improper input validation, a path traversal and remote code execution vulnerability exists when the ThinManager® processes a crafted POST request. If exploited, a user can install an executable file.
Severity CVSS v4.0: Pending analysis
Last modification:
02/10/2024

CVE-2024-45825
Publication date:
12/09/2024
CVE-2024-45825 IMPACT<br /> A denial-of-service vulnerability exists in the affected products. The vulnerability occurs when a malformed CIP packet is sent over the network to the device and results in a major nonrecoverable fault causing a denial-of-service.
Severity CVSS v4.0: Pending analysis
Last modification:
02/10/2024

CVE-2024-42483
Publication date:
12/09/2024
ESP-NOW Component provides a connectionless Wi-Fi communication protocol. An replay attacks vulnerability was discovered in the implementation of the ESP-NOW because the caches is not differentiated by message types, it is a single, shared resource for all kinds of messages, whether they are broadcast or unicast, and regardless of whether they are ciphertext or plaintext. This can result an attacker to clear the cache of its legitimate entries, there by creating an opportunity to re-inject previously captured packets. This vulnerability is fixed in 2.5.2.
Severity CVSS v4.0: Pending analysis
Last modification:
23/09/2024

CVE-2024-45823
Publication date:
12/09/2024
CVE-2024-45823 IMPACT<br /> <br /> <br /> <br /> An<br /> authentication bypass vulnerability exists in the affected product. The<br /> vulnerability exists due to shared secrets across accounts and could allow a threat<br /> actor to impersonate a user if the threat actor is able to enumerate additional<br /> information required during authentication.
Severity CVSS v4.0: Pending analysis
Last modification:
02/10/2024

CVE-2024-42484
Publication date:
12/09/2024
ESP-NOW Component provides a connectionless Wi-Fi communication protocol. An Out-of-Bound (OOB) vulnerability was discovered in the implementation of the ESP-NOW group type message because there is no check for the addrs_num field of the group type message. This can result in memory corruption related attacks. Normally there are two fields in the group information that need to be checked, i.e., the addrs_num field and the addrs_list fileld. Since we only checked the addrs_list field, an attacker can send a group type message with an invalid addrs_num field, which will cause the message handled by the firmware to be much larger than the current buffer, thus causing a memory corruption issue that goes beyond the payload length.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2024-28990
Publication date:
12/09/2024
SolarWinds Access Rights Manager (ARM) was found to contain a hard-coded credential authentication bypass vulnerability. If exploited, this vulnerability would allow access to the RabbitMQ management console.<br /> <br /> We thank Trend Micro Zero Day Initiative (ZDI) for its ongoing partnership in coordinating with SolarWinds on responsible disclosure of this and other potential vulnerabilities.
Severity CVSS v4.0: Pending analysis
Last modification:
16/09/2024

CVE-2024-28991
Publication date:
12/09/2024
SolarWinds Access Rights Manager (ARM) was found to be susceptible to a remote code execution vulnerability. If exploited, this vulnerability would allow an authenticated user to abuse the service, resulting in remote code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
16/09/2024

CVE-2024-45824
Publication date:
12/09/2024
CVE-2024-45824 IMPACT<br /> <br /> <br /> <br /> A remote<br /> code vulnerability exists in the affected products. The vulnerability occurs<br /> when chained with Path Traversal, Command Injection, and XSS Vulnerabilities<br /> and allows for full unauthenticated remote code execution. The link in the<br /> mitigations section below contains patches to fix this issue.
Severity CVSS v4.0: CRITICAL
Last modification:
31/01/2025

CVE-2024-40457
Publication date:
12/09/2024
No-IP Dynamic Update Client (DUC) v3.x uses cleartext credentials that may occur on a command line or in a file. NOTE: the vendor&amp;#39;s position is that cleartext in /etc/default/noip-duc is recommended and is the intentional behavior.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2024-45857
Publication date:
12/09/2024
Deserialization of untrusted data can occur in versions 2.4.0 or newer of the Cleanlab project, enabling a maliciously crafted datalab.pkl file to run arbitrary code on an end user’s system when the data directory is loaded.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026
Subscribe to Vulnerabilities