Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-3567
Publication date:
10/04/2024
A flaw was found in QEMU. An assertion failure was present in the update_sctp_checksum() function in hw/net/net_tx_pkt.c when trying to calculate the checksum of a short-sized fragmented packet. This flaw allows a malicious guest to crash QEMU and cause a denial of service condition.
Severity CVSS v4.0: Pending analysis
Last modification:
06/05/2025

CVE-2024-24809
Publication date:
10/04/2024
Traccar is an open source GPS tracking system. Versions prior to 6.0 are vulnerable to path traversal and unrestricted upload of file with dangerous type. Since the system allows registration by default, attackers can acquire ordinary user permissions by registering an account and exploit this vulnerability to upload files with the prefix `device.` under any folder. Attackers can use this vulnerability for phishing, cross-site scripting attacks, and potentially execute arbitrary commands on the server. Version 6.0 contains a patch for the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
10/04/2024

CVE-2024-27474
Publication date:
10/04/2024
Leantime 3.0.6 is vulnerable to Cross Site Request Forgery (CSRF). This vulnerability allows malicious actors to perform unauthorized actions on behalf of authenticated users, specifically administrators.
Severity CVSS v4.0: Pending analysis
Last modification:
08/04/2025

CVE-2024-27476
Publication date:
10/04/2024
Leantime 3.0.6 is vulnerable to HTML Injection via /dashboard/show#/tickets/newTicket.
Severity CVSS v4.0: Pending analysis
Last modification:
08/04/2025

CVE-2024-27477
Publication date:
10/04/2024
In Leantime 3.0.6, a Cross-Site Scripting vulnerability exists within the ticket creation and modification functionality, allowing attackers to inject malicious JavaScript code into the title field of tickets (also known as to-dos). This stored XSS vulnerability can be exploited to perform Server-Side Request Forgery (SSRF) attacks.
Severity CVSS v4.0: Pending analysis
Last modification:
08/04/2025

CVE-2024-23083
Publication date:
10/04/2024
Time4J Base v5.9.3 was discovered to contain a NullPointerException via the component net.time4j.format.internal.FormatUtils::useDefaultWeekmodel(Locale). NOTE: this is disputed by multiple third parties who believe there was not reasonable evidence to determine the existence of a vulnerability. The submission may have been based on a tool that is not sufficiently robust for vulnerability identification.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2024

CVE-2024-26816
Publication date:
10/04/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> x86, relocs: Ignore relocations in .notes section<br /> <br /> When building with CONFIG_XEN_PV=y, .text symbols are emitted into<br /> the .notes section so that Xen can find the "startup_xen" entry point.<br /> This information is used prior to booting the kernel, so relocations<br /> are not useful. In fact, performing relocations against the .notes<br /> section means that the KASLR base is exposed since /sys/kernel/notes<br /> is world-readable.<br /> <br /> To avoid leaking the KASLR base without breaking unprivileged tools that<br /> are expecting to read /sys/kernel/notes, skip performing relocations in<br /> the .notes section. The values readable in .notes are then identical to<br /> those found in System.map.
Severity CVSS v4.0: Pending analysis
Last modification:
27/03/2025

CVE-2024-2730
Publication date:
10/04/2024
Mautic uses predictable page indices for unpublished landing pages, their content can be accessed by unauthenticated users under public preview URLs which could expose sensitive data. At the time of publication of the CVE no patch is available <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
10/04/2024

CVE-2024-2731
Publication date:
10/04/2024
Users with low privileges (all permissions deselected in the administrator permissions settings) can view certain pages that expose sensitive information such as company names, users&amp;#39; names and surnames, stage names, and monitoring campaigns and their descriptions. In addition, unprivileged users can see and edit the descriptions of tags. At the time of publication of the CVE no patch is available.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
10/04/2024

CVE-2024-3448
Publication date:
10/04/2024
Users with low privileges can perform certain AJAX actions. In this vulnerability instance, improper access to ajax?action=plugin:focus:checkIframeAvailability leads to a Server-Side Request Forgery by analyzing the error messages returned from the back-end. Allowing an attacker to perform a port scan in the back-end. At the time of publication of the CVE no patch is available.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
10/04/2024

CVE-2024-20770
Publication date:
10/04/2024
Photoshop Desktop versions 24.7.2, 25.3.1 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Severity CVSS v4.0: Pending analysis
Last modification:
05/12/2024

CVE-2024-20772
Publication date:
10/04/2024
Media Encoder versions 24.2.1, 23.6.4 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Severity CVSS v4.0: Pending analysis
Last modification:
05/12/2024
Subscribe to Vulnerabilities