Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-45011
Publication date:
11/09/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> char: xillybus: Check USB endpoints when probing device<br /> <br /> Ensure, as the driver probes the device, that all endpoints that the<br /> driver may attempt to access exist and are of the correct type.<br /> <br /> All XillyUSB devices must have a Bulk IN and Bulk OUT endpoint at<br /> address 1. This is verified in xillyusb_setup_base_eps().<br /> <br /> On top of that, a XillyUSB device may have additional Bulk OUT<br /> endpoints. The information about these endpoints&amp;#39; addresses is deduced<br /> from a data structure (the IDT) that the driver fetches from the device<br /> while probing it. These endpoints are checked in setup_channels().<br /> <br /> A XillyUSB device never has more than one IN endpoint, as all data<br /> towards the host is multiplexed in this single Bulk IN endpoint. This is<br /> why setup_channels() only checks OUT endpoints.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2024-45019
Publication date:
11/09/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/mlx5e: Take state lock during tx timeout reporter<br /> <br /> mlx5e_safe_reopen_channels() requires the state lock taken. The<br /> referenced changed in the Fixes tag removed the lock to fix another<br /> issue. This patch adds it back but at a later point (when calling<br /> mlx5e_safe_reopen_channels()) to avoid the deadlock referenced in the<br /> Fixes tag.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2024-45016
Publication date:
11/09/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netem: fix return value if duplicate enqueue fails<br /> <br /> There is a bug in netem_enqueue() introduced by<br /> commit 5845f706388a ("net: netem: fix skb length BUG_ON in __skb_to_sgvec")<br /> that can lead to a use-after-free.<br /> <br /> This commit made netem_enqueue() always return NET_XMIT_SUCCESS<br /> when a packet is duplicated, which can cause the parent qdisc&amp;#39;s q.qlen<br /> to be mistakenly incremented. When this happens qlen_notify() may be<br /> skipped on the parent during destruction, leaving a dangling pointer<br /> for some classful qdiscs like DRR.<br /> <br /> There are two ways for the bug happen:<br /> <br /> - If the duplicated packet is dropped by rootq-&gt;enqueue() and then<br /> the original packet is also dropped.<br /> - If rootq-&gt;enqueue() sends the duplicated packet to a different qdisc<br /> and the original packet is dropped.<br /> <br /> In both cases NET_XMIT_SUCCESS is returned even though no packets<br /> are enqueued at the netem qdisc.<br /> <br /> The fix is to defer the enqueue of the duplicate packet until after<br /> the original packet has been guaranteed to return NET_XMIT_SUCCESS.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026

CVE-2024-45018
Publication date:
11/09/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: flowtable: initialise extack before use<br /> <br /> Fix missing initialisation of extack in flow offload.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026

CVE-2024-39378
Publication date:
11/09/2024
Audition versions 24.4.1, 23.6.6 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Severity CVSS v4.0: Pending analysis
Last modification:
18/09/2024

CVE-2024-4465
Publication date:
11/09/2024
An access control vulnerability was discovered in the Reports section due to a specific access restriction not being properly enforced for users with limited privileges.<br /> <br /> <br /> <br /> If a logged-in user with reporting privileges learns how to create a specific application request, they might be able to make limited changes to the reporting configuration. This could result in a partial loss of data integrity. In Guardian/CMC instances with a reporting configuration, there could be limited Denial of Service (DoS) impacts, as the reports may not reach their intended destination, and there could also be limited information disclosure impacts. Furthermore, modifying the destination SMTP server for the reports could lead to the compromise of external credentials, as they might be sent to an unauthorized server. This could expand the scope of the attack.
Severity CVSS v4.0: Pending analysis
Last modification:
20/09/2024

CVE-2024-8306
Publication date:
11/09/2024
CWE-269: Improper Privilege Management vulnerability exists that could cause unauthorized<br /> access, loss of confidentiality, integrity and availability of the workstation when non-admin<br /> authenticated user tries to perform privilege escalation by tampering with the binaries.
Severity CVSS v4.0: Pending analysis
Last modification:
18/09/2024

CVE-2024-43793
Publication date:
11/09/2024
Halo is an open source website building tool. A security vulnerability has been identified in versions prior to 2.19.0 of the Halo project. This vulnerability allows an attacker to execute malicious scripts in the user&amp;#39;s browser through specific HTML and JavaScript code, potentially leading to a Cross-Site Scripting (XSS) attack. This vulnerability is fixed in 2.19.0.
Severity CVSS v4.0: Pending analysis
Last modification:
16/09/2024

CVE-2024-8638
Publication date:
11/09/2024
Type Confusion in V8 in Google Chrome prior to 128.0.6613.137 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High)
Severity CVSS v4.0: Pending analysis
Last modification:
13/09/2024

CVE-2024-8639
Publication date:
11/09/2024
Use after free in Autofill in Google Chrome on Android prior to 128.0.6613.137 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Severity CVSS v4.0: Pending analysis
Last modification:
13/09/2024

CVE-2024-8646
Publication date:
11/09/2024
In Eclipse Glassfish versions prior to 7.0.10, a URL redirection vulnerability to untrusted sites existed.<br /> This vulnerability is caused by the vulnerability (CVE-2023-41080) in the Apache code included in GlassFish.<br /> This vulnerability only affects applications that are explicitly deployed to the root context (&amp;#39;/&amp;#39;).
Severity CVSS v4.0: Pending analysis
Last modification:
18/09/2024

CVE-2024-8642
Publication date:
11/09/2024
In Eclipse Dataspace Components, from version 0.5.0 and before version 0.9.0, the ConsumerPullTransferTokenValidationApiController does not check for token validity (expiry, not-before, issuance date), which can allow an attacker to bypass the check for token expiration. The issue requires to have a dataplane configured to support http proxy consumer pull AND include the module "transfer-data-plane". The affected code was marked deprecated from the version 0.6.0 in favour of Dataplane Signaling. In 0.9.0 the vulnerable code has been removed.
Severity CVSS v4.0: MEDIUM
Last modification:
29/04/2026
Subscribe to Vulnerabilities