Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-7190
Publication date:
29/07/2024
A vulnerability classified as critical was found in itsourcecode Society Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/get_price.php. The manipulation of the argument expenses_id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-272611.
Severity CVSS v4.0: Pending analysis
Last modification:
23/08/2024

CVE-2024-7189
Publication date:
29/07/2024
A vulnerability classified as critical has been found in itsourcecode Online Food Ordering System 1.0. Affected is an unknown function of the file editproduct.php. The manipulation of the argument photo leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-272610 is the identifier assigned to this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
23/08/2024

CVE-2024-7188
Publication date:
29/07/2024
A vulnerability was found in Bylancer Quicklancer 2.4. It has been rated as critical. This issue affects some unknown processing of the file /listing of the component GET Parameter Handler. The manipulation of the argument range2 leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-272609 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: Pending analysis
Last modification:
12/09/2024

CVE-2024-7187
Publication date:
29/07/2024
A vulnerability was found in TOTOLINK A3600R 4.1.2cu.5182_B20201102. It has been declared as critical. This vulnerability affects the function UploadCustomModule of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument File leads to buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-272608. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: Pending analysis
Last modification:
23/08/2024

CVE-2024-41019
Publication date:
29/07/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs/ntfs3: Validate ff offset<br /> <br /> This adds sanity checks for ff offset. There is a check<br /> on rt-&gt;first_free at first, but walking through by ff<br /> without any check. If the second ff is a large offset.<br /> We may encounter an out-of-bound read.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2024-41090
Publication date:
29/07/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tap: add missing verification for short frame<br /> <br /> The cited commit missed to check against the validity of the frame length<br /> in the tap_get_user_xdp() path, which could cause a corrupted skb to be<br /> sent downstack. Even before the skb is transmitted, the<br /> tap_get_user_xdp()--&gt;skb_set_network_header() may assume the size is more<br /> than ETH_HLEN. Once transmitted, this could either cause out-of-bound<br /> access beyond the actual length, or confuse the underlayer with incorrect<br /> or inconsistent header length in the skb metadata.<br /> <br /> In the alternative path, tap_get_user() already prohibits short frame which<br /> has the length less than Ethernet header size from being transmitted.<br /> <br /> This is to drop any frame shorter than the Ethernet header size just like<br /> how tap_get_user() does.<br /> <br /> CVE: CVE-2024-41090
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2024-41091
Publication date:
29/07/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tun: add missing verification for short frame<br /> <br /> The cited commit missed to check against the validity of the frame length<br /> in the tun_xdp_one() path, which could cause a corrupted skb to be sent<br /> downstack. Even before the skb is transmitted, the<br /> tun_xdp_one--&gt;eth_type_trans() may access the Ethernet header although it<br /> can be less than ETH_HLEN. Once transmitted, this could either cause<br /> out-of-bound access beyond the actual length, or confuse the underlayer<br /> with incorrect or inconsistent header length in the skb metadata.<br /> <br /> In the alternative path, tun_get_user() already prohibits short frame which<br /> has the length less than Ethernet header size from being transmitted for<br /> IFF_TAP.<br /> <br /> This is to drop any frame shorter than the Ethernet header size just like<br /> how tun_get_user() does.<br /> <br /> CVE: CVE-2024-41091
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2024-41018
Publication date:
29/07/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs/ntfs3: Add a check for attr_names and oatbl<br /> <br /> Added out-of-bound checking for *ane (ATTR_NAME_ENTRY).
Severity CVSS v4.0: Pending analysis
Last modification:
07/10/2025

CVE-2024-41015
Publication date:
29/07/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ocfs2: add bounds checking to ocfs2_check_dir_entry()<br /> <br /> This adds sanity checks for ocfs2_dir_entry to make sure all members of<br /> ocfs2_dir_entry don&amp;#39;t stray beyond valid memory region.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2024-41017
Publication date:
29/07/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> jfs: don&amp;#39;t walk off the end of ealist<br /> <br /> Add a check before visiting the members of ea to<br /> make sure each ea stays within the ealist.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2024-41016
Publication date:
29/07/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry()<br /> <br /> xattr in ocfs2 maybe &amp;#39;non-indexed&amp;#39;, which saved with additional space<br /> requested. It&amp;#39;s better to check if the memory is out of bound before<br /> memcmp, although this possibility mainly comes from crafted poisonous<br /> images.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026

CVE-2024-41013
Publication date:
29/07/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> xfs: don&amp;#39;t walk off the end of a directory data block<br /> <br /> This adds sanity checks for xfs_dir2_data_unused and xfs_dir2_data_entry<br /> to make sure don&amp;#39;t stray beyond valid memory region. Before patching, the<br /> loop simply checks that the start offset of the dup and dep is within the<br /> range. So in a crafted image, if last entry is xfs_dir2_data_unused, we<br /> can change dup-&gt;length to dup-&gt;length-1 and leave 1 byte of space. In the<br /> next traversal, this space will be considered as dup or dep. We may<br /> encounter an out of bound read when accessing the fixed members.<br /> <br /> In the patch, we make sure that the remaining bytes large enough to hold<br /> an unused entry before accessing xfs_dir2_data_unused and<br /> xfs_dir2_data_unused is XFS_DIR2_DATA_ALIGN byte aligned. We also make<br /> sure that the remaining bytes large enough to hold a dirent with a<br /> single-byte name before accessing xfs_dir2_data_entry.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025
Subscribe to Vulnerabilities