Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-49341
Publication date:
09/03/2024
An issue was discovered in Newland Nquire 1000 Interactive Kiosk version NQ1000-II_G_V1.00.011, allows remote attackers to obtain sensitive information via cleartext credential storage in backup.htm component.
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2024

CVE-2023-50015
Publication date:
09/03/2024
An issue was discovered in Grandstream GXP14XX 1.0.8.9 and GXP16XX 1.0.7.13, allows remote attackers to escalate privileges via incorrect access control using an end-user session-identity token.
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2024

CVE-2024-28176
Publication date:
09/03/2024
jose is JavaScript module for JSON Object Signing and Encryption, providing support for JSON Web Tokens (JWT), JSON Web Signature (JWS), JSON Web Encryption (JWE), JSON Web Key (JWK), JSON Web Key Set (JWKS), and more. A vulnerability has <br /> been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the support for decompressing plaintext after its decryption. Under certain conditions it is possible to have the user&amp;#39;s environment consume unreasonable amount of CPU time or memory during JWE Decryption operations. This issue has been patched in versions 2.0.7 and 4.15.5.
Severity CVSS v4.0: Pending analysis
Last modification:
05/12/2025

CVE-2024-28180
Publication date:
09/03/2024
Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.
Severity CVSS v4.0: Pending analysis
Last modification:
03/12/2025

CVE-2024-28184
Publication date:
09/03/2024
WeasyPrint helps web developers to create PDF documents. Since version 61.0, there&amp;#39;s a vulnerability which allows attaching content of arbitrary files and URLs to a generated PDF document, even if `url_fetcher` is configured to prevent access to files and URLs. This vulnerability has been patched in version 61.2.
Severity CVSS v4.0: Pending analysis
Last modification:
02/12/2025

CVE-2024-28122
Publication date:
09/03/2024
JWX is Go module implementing various JWx (JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE) technologies. This vulnerability allows an attacker with a trusted public key to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. This issue has been patched in versions 1.2.29 and 2.0.21.
Severity CVSS v4.0: Pending analysis
Last modification:
05/12/2025

CVE-2024-28753
Publication date:
09/03/2024
RaspAP (aka raspap-webgui) through 3.0.9 allows remote attackers to read the /etc/passwd file via a crafted request.
Severity CVSS v4.0: Pending analysis
Last modification:
01/05/2025

CVE-2024-28754
Publication date:
09/03/2024
RaspAP (aka raspap-webgui) through 3.0.9 allows remote attackers to cause a persistent denial of service (bricking) via a crafted request.
Severity CVSS v4.0: Pending analysis
Last modification:
01/05/2025

CVE-2023-32264
Publication date:
08/03/2024
CWE-1385 vulnerability in OpenText Documentum D2 affecting versions16.5.1 to CE 23.2. The vulnerability could allow upload arbitrary code and execute it on the client&amp;#39;s computer.<br /> <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
08/03/2024

CVE-2024-2339
Publication date:
08/03/2024
PostgreSQL Anonymizer v1.2 contains a vulnerability that allows a user who owns a table to elevate to superuser. A user can define a masking function for a column and place malicious code in that function. When a privileged user applies the masking rules using the static masking or the anonymous dump method, the malicious code is executed and can grant escalated privileges to the malicious user. PostgreSQL Anonymizer v1.2 does provide a protection against this risk with the restrict_to_trusted_schemas option, but that protection is incomplete. Users that don&amp;#39;t own a table, especially masked users cannot exploit this vulnerability. The problem is resolved in v1.3.
Severity CVSS v4.0: Pending analysis
Last modification:
12/02/2025

CVE-2024-2338
Publication date:
08/03/2024
PostgreSQL Anonymizer v1.2 contains a SQL injection vulnerability that allows a user who owns a table to elevate to superuser when dynamic masking is enabled. PostgreSQL Anonymizer enables users to set security labels on tables to mask specified columns. There is a flaw that allows complex expressions to be provided as a value. This expression is then later used as it to create the masked views leading to SQL Injection. If dynamic masking is enabled, this will lead to privilege escalation to superuser after the label is created. Users that don&amp;#39;t own a table, especially masked users cannot exploit this vulnerability. The problem is resolved in v1.3.
Severity CVSS v4.0: Pending analysis
Last modification:
12/02/2025

CVE-2022-43855
Publication date:
08/03/2024
IBM SPSS Statistics 26.0, 27.0.1, and 28.0 IO Module could allow a local user to create multiple files that could exhaust the file handles capacity and cause a denial of service.
Severity CVSS v4.0: Pending analysis
Last modification:
10/06/2025
Subscribe to Vulnerabilities