Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-3483
Publication date:
15/05/2024
Remote Code<br /> Execution has been discovered in<br /> OpenText™ iManager 3.2.6.0200. The vulnerability can<br /> trigger command injection and insecure deserialization issues.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
21/01/2025

CVE-2024-27593
Publication date:
15/05/2024
A stored cross-site scripting (XSS) vulnerability in the Filter function of Eramba Version 3.22.3 Community Edition allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the filter name field. This vulnerability has been fixed in version 3.23.0.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2024

CVE-2024-28042
Publication date:
15/05/2024
SUBNET Solutions Inc. has identified vulnerabilities in third-party components used in PowerSYSTEM Center.
Severity CVSS v4.0: Pending analysis
Last modification:
28/05/2024

CVE-2024-28087
Publication date:
15/05/2024
In Bonitasoft runtime Community edition, the lack of dynamic permissions causes IDOR vulnerability. Dynamic permissions existed only in Subscription edition and have now been restored in Community edition, where they are not custmizable.
Severity CVSS v4.0: Pending analysis
Last modification:
05/09/2024

CVE-2023-5938
Publication date:
15/05/2024
Multiple functions use archives without properly validating the filenames therein, rendering the application vulnerable to path traversal via &amp;#39;zip slip&amp;#39; attacks.<br /> <br /> <br /> <br /> An administrator able to provide tampered archives to be processed by the affected versions of Arc may be able to have arbitrary files extracted to arbitrary filesystem locations. Leveraging this issue, an attacker may be able to overwrite arbitrary files on the target filesystem and cause critical impacts on the system (e.g., arbitrary command execution on the victim’s machine).
Severity CVSS v4.0: Pending analysis
Last modification:
28/05/2024

CVE-2023-7258
Publication date:
15/05/2024
A denial of service exists in Gvisor Sandbox where a bug in reference counting code in mount point tracking could lead to a panic, making it possible for an attacker running as root and with permission to mount volumes to kill the sandbox. We recommend upgrading past commit 6a112c60a257dadac59962e0bc9e9b5aee70b5b6
Severity CVSS v4.0: Pending analysis
Last modification:
22/07/2025

CVE-2024-3319
Publication date:
15/05/2024
An issue was identified in the Identity Security Cloud (ISC) Transform preview and IdentityProfile preview API endpoints that allowed an authenticated administrator to execute user-defined templates as part of attribute transforms which could allow remote code execution on the host.
Severity CVSS v4.0: Pending analysis
Last modification:
15/05/2024

CVE-2024-4903
Publication date:
15/05/2024
A vulnerability was found in Tongda OA 2017. It has been declared as critical. This vulnerability affects unknown code of the file /general/meeting/manage/delete.php. The manipulation of the argument M_ID_STR leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-264436. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: Pending analysis
Last modification:
07/06/2024

CVE-2024-31216
Publication date:
15/05/2024
The source-controller is a Kubernetes operator, specialised in artifacts acquisition from external sources such as Git, OCI, Helm repositories and S3-compatible buckets. The source-controller implements the source.toolkit.fluxcd.io API and is a core component of the GitOps toolkit. Prior to version 1.2.5, when source-controller was configured to use an Azure SAS token when connecting to Azure Blob Storage, the token was logged along with the Azure URL when the controller encountered a connection error. An attacker with access to the source-controller logs could use the token to gain access to the Azure Blob Storage until the token expires. This vulnerability was fixed in source-controller v1.2.5. There is no workaround for this vulnerability except for using a different auth mechanism such as Azure Workload Identity.
Severity CVSS v4.0: Pending analysis
Last modification:
15/05/2024

CVE-2024-35179
Publication date:
15/05/2024
Stalwart Mail Server is an open-source mail server. Prior to version 0.8.0, when using `RUN_AS_USER`, the specified user (and therefore, web interface admins) can read arbitrary files as root. This issue affects admins who have set up to run stalwart with `RUN_AS_USER` who handed out admin credentials to the mail server but expect these to only grant access according to the `RUN_AS_USER` and are attacked where the attackers managed to achieve Arbitrary Code Execution using another vulnerability. Version 0.8.0 contains a patch for the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
15/05/2024

CVE-2024-3317
Publication date:
15/05/2024
An improper access control was identified in the Identity Security Cloud (ISC) message server API that allowed an authenticated user to exfiltrate job processing metadata (opaque messageIDs, work queue depth and counts) for other tenants.
Severity CVSS v4.0: Pending analysis
Last modification:
15/05/2024

CVE-2024-3318
Publication date:
15/05/2024
A file path traversal vulnerability was identified in the DelimitedFileConnector Cloud Connector that allowed an authenticated administrator to set arbitrary connector attributes, including the “file“ attribute, which in turn allowed the user to access files uploaded for other sources.
Severity CVSS v4.0: Pending analysis
Last modification:
15/05/2024
Subscribe to Vulnerabilities