Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-3319
Publication date:
15/05/2024
An issue was identified in the Identity Security Cloud (ISC) Transform preview and IdentityProfile preview API endpoints that allowed an authenticated administrator to execute user-defined templates as part of attribute transforms which could allow remote code execution on the host.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2024-4903
Publication date:
15/05/2024
A vulnerability was found in Tongda OA 2017. It has been declared as critical. This vulnerability affects unknown code of the file /general/meeting/manage/delete.php. The manipulation of the argument M_ID_STR leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-264436. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: MEDIUM
Last modification:
15/04/2026

CVE-2024-31216
Publication date:
15/05/2024
The source-controller is a Kubernetes operator, specialised in artifacts acquisition from external sources such as Git, OCI, Helm repositories and S3-compatible buckets. The source-controller implements the source.toolkit.fluxcd.io API and is a core component of the GitOps toolkit. Prior to version 1.2.5, when source-controller was configured to use an Azure SAS token when connecting to Azure Blob Storage, the token was logged along with the Azure URL when the controller encountered a connection error. An attacker with access to the source-controller logs could use the token to gain access to the Azure Blob Storage until the token expires. This vulnerability was fixed in source-controller v1.2.5. There is no workaround for this vulnerability except for using a different auth mechanism such as Azure Workload Identity.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2024-35179
Publication date:
15/05/2024
Stalwart Mail Server is an open-source mail server. Prior to version 0.8.0, when using `RUN_AS_USER`, the specified user (and therefore, web interface admins) can read arbitrary files as root. This issue affects admins who have set up to run stalwart with `RUN_AS_USER` who handed out admin credentials to the mail server but expect these to only grant access according to the `RUN_AS_USER` and are attacked where the attackers managed to achieve Arbitrary Code Execution using another vulnerability. Version 0.8.0 contains a patch for the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2024-3317
Publication date:
15/05/2024
An improper access control was identified in the Identity Security Cloud (ISC) message server API that allowed an authenticated user to exfiltrate job processing metadata (opaque messageIDs, work queue depth and counts) for other tenants.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2024-3318
Publication date:
15/05/2024
A file path traversal vulnerability was identified in the DelimitedFileConnector Cloud Connector that allowed an authenticated administrator to set arbitrary connector attributes, including the “file“ attribute, which in turn allowed the user to access files uploaded for other sources.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2023-5935
Publication date:
15/05/2024
When configuring Arc (e.g. during the first setup), a local web interface is provided to ease the configuration process. Such web interface lacks authentication and may thus be abused by a local attacker or malware running on the machine itself.<br /> <br /> <br /> <br /> A malicious local user or process, during a window of opportunity when the local web interface is active, may be able to extract sensitive information or change Arc&amp;#39;s configuration. This could also lead to arbitrary code execution if a malicious update package is installed.
Severity CVSS v4.0: HIGH
Last modification:
15/04/2026

CVE-2023-5936
Publication date:
15/05/2024
On Unix systems (Linux, MacOS), Arc uses a temporary file with unsafe privileges.<br /> <br /> <br /> <br /> By tampering with such file, a malicious local user in the system may be able to trigger arbitrary code execution with root privileges.
Severity CVSS v4.0: HIGH
Last modification:
15/04/2026

CVE-2023-5937
Publication date:
15/05/2024
On Windows systems, the Arc configuration files resulted to be world-readable.<br /> <br /> <br /> <br /> This can lead to information disclosure by local attackers, via exfiltration of sensitive data from configuration files.
Severity CVSS v4.0: MEDIUM
Last modification:
15/04/2026

CVE-2024-34954
Publication date:
15/05/2024
Code-projects Budget Management 1.0 is vulnerable to Cross Site Scripting (XSS) via the budget parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
04/04/2025

CVE-2024-34955
Publication date:
15/05/2024
Code-projects Budget Management 1.0 is vulnerable to SQL Injection via the delete parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
04/04/2025

CVE-2024-27353
Publication date:
15/05/2024
A memory corruption vulnerability in SdHost and SdMmcDevice in Insyde InsydeH2O kernel 5.2 before 05.29.09, kernel 5.3 before 05.38.09, kernel 5.4 before 05.46.09, kernel 5.5 before 05.54.09, and kernel 5.6 before 05.61.09 could lead to escalating privileges in SMM.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026
Subscribe to Vulnerabilities