Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-5947
Publication date:
27/02/2024
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2023-7247. Reason: This candidate is a duplicate of CVE-2023-7247. Notes: All CVE users should reference CVE-2023-7247 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.
Severity CVSS v4.0: Pending analysis
Last modification:
27/02/2024

CVE-2024-1423
Publication date:
27/02/2024
Rejected reason: Accidental Request
Severity CVSS v4.0: Pending analysis
Last modification:
27/02/2024

CVE-2024-1921
Publication date:
27/02/2024
A vulnerability, which was classified as critical, was found in osuuu LightPicture up to 1.2.2. Affected is an unknown function of the file /app/controller/Setup.php. The manipulation leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-254856.
Severity CVSS v4.0: Pending analysis
Last modification:
18/12/2024

CVE-2024-27905
Publication date:
27/02/2024
** UNSUPPORTED WHEN ASSIGNED ** Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Aurora.<br /> <br /> An endpoint exposing internals to unauthenticated users can be used as a "padding oracle" allowing an anonymous attacker to construct a valid authentication cookie. Potentially this could be combined with vulnerabilities in other components to achieve remote code execution.<br /> <br /> As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.<br /> <br /> NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Severity CVSS v4.0: Pending analysis
Last modification:
10/07/2025

CVE-2024-25723
Publication date:
27/02/2024
ZenML Server in the ZenML machine learning package before 0.46.7 for Python allows remote privilege escalation because the /api/v1/users/{user_name_or_id}/activate REST API endpoint allows access on the basis of a valid username along with a new password in the request body. These are also patched versions: 0.44.4, 0.43.1, and 0.42.2.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2025

CVE-2024-27507
Publication date:
27/02/2024
libLAS 1.8.1 contains a memory leak vulnerability in /libLAS/apps/ts2las.cpp.
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2025

CVE-2024-0551
Publication date:
27/02/2024
Enable exports of the database and associated exported information of the system via the default user role. The attacked would have to have been granted access to the system prior to the attack.<br /> <br /> It is worth noting that the deterministic nature of the export name is lower risk as the UI for exporting would start the download at the same time, which once downloaded - deletes the export from the system.<br /> <br /> The endpoint for exporting should simply be patched to a higher privilege level.
Severity CVSS v4.0: Pending analysis
Last modification:
04/03/2025

CVE-2024-0819
Publication date:
27/02/2024
<br /> Improper initialization of default settings in TeamViewer Remote Client prior version 15.51.5 for Windows, Linux and macOS, allow a low privileged user to elevate privileges by changing the personal password setting and establishing a remote connection to a logged-in admin account.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
03/03/2025

CVE-2024-1919
Publication date:
27/02/2024
A vulnerability classified as problematic was found in SourceCodester Online Job Portal 1.0. This vulnerability affects unknown code of the file /Employer/ManageWalkin.php of the component Manage Walkin Page. The manipulation of the argument Job Title leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-254854 is the identifier assigned to this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
18/12/2024

CVE-2024-1920
Publication date:
27/02/2024
A vulnerability, which was classified as critical, has been found in osuuu LightPicture up to 1.2.2. This issue affects the function handle of the file /app/middleware/TokenVerify.php. The manipulation leads to use of hard-coded cryptographic key<br /> . The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-254855.
Severity CVSS v4.0: Pending analysis
Last modification:
18/12/2024

CVE-2023-51747
Publication date:
27/02/2024
Apache James prior to versions 3.8.1 and 3.7.5 is vulnerable to SMTP smuggling.<br /> <br /> A lenient behaviour in line delimiter handling might create a difference of interpretation between the sender and the receiver which can be exploited by an attacker to forge an SMTP envelop, allowing for instance to bypass SPF checks.<br /> <br /> The patch implies enforcement of CRLF as a line delimiter as part of the DATA transaction.<br /> <br /> We recommend James users to upgrade to non vulnerable versions.
Severity CVSS v4.0: Pending analysis
Last modification:
05/05/2025

CVE-2024-0197
Publication date:
27/02/2024
A flaw in the installer for Thales SafeNet Sentinel HASP LDK prior to 9.16 on Windows allows an attacker to escalate their privilege level via local access.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
04/03/2025
Subscribe to Vulnerabilities