Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-0407
Publication date:
21/02/2024
Certain HP Enterprise LaserJet, and HP LaserJet Managed Printers are potentially vulnerable to information disclosure, when connections made by the device back to services enabled by some solutions may have been trusted without the appropriate CA certificate in the device's certificate store.
Severity CVSS v4.0: Pending analysis
Last modification:
20/02/2026

CVE-2023-50923
Publication date:
21/02/2024
In QUIC in RFC 9000, the Latency Spin Bit specification (section 17.4) does not strictly constrain the bit value when the feature is disabled, which might allow remote attackers to construct a covert channel with data represented as changes to the bit value. NOTE: The "Sheridan, S., Keane, A. (2015). In Proceedings of the 14th European Conference on Cyber Warfare and Security (ECCWS), University of Hertfordshire, Hatfield, UK." paper says "Modern Internet communication protocols provide an almost infinite number of ways in which data can be hidden or embed whithin seemingly normal network traffic."
Severity CVSS v4.0: Pending analysis
Last modification:
04/12/2024

CVE-2024-23758
Publication date:
20/02/2024
An issue discovered in Unisys Stealth 5.3.062.0 allows attackers to view sensitive information via the Enterprise ManagementInstaller_msi.log file.
Severity CVSS v4.0: Pending analysis
Last modification:
02/05/2025

CVE-2021-29038
Publication date:
20/02/2024
Liferay Portal 7.2.0 through 7.3.5, and older unsupported versions, and Liferay DXP 7.3 before fix pack 1, 7.2 before fix pack 17, and older unsupported versions does not obfuscate password reminder answers on the page, which allows attackers to use man-in-the-middle or shoulder surfing attacks to steal user's password reminder answers.
Severity CVSS v4.0: Pending analysis
Last modification:
13/05/2025

CVE-2021-29050
Publication date:
20/02/2024
Cross-Site Request Forgery (CSRF) vulnerability in the terms of use page in Liferay Portal before 7.3.6, and Liferay DXP 7.3 before service pack 1, 7.2 before fix pack 11 allows remote attackers to accept the site's terms of use via social engineering and enticing the user to visit a malicious page.
Severity CVSS v4.0: Pending analysis
Last modification:
01/08/2024

CVE-2023-47422
Publication date:
20/02/2024
An access control issue in /usr/sbin/httpd in Tenda TX9 V1 V22.03.02.54, Tenda AX3 V3 V16.03.12.11, Tenda AX9 V1 V22.03.01.46, and Tenda AX12 V1 V22.03.01.46 allows attackers to bypass authentication on any endpoint via a crafted URL.
Severity CVSS v4.0: Pending analysis
Last modification:
25/04/2025

CVE-2023-6936
Publication date:
20/02/2024
In wolfSSL prior to 5.6.6, if callback functions are enabled (via the WOLFSSL_CALLBACKS flag), then a malicious TLS client or network attacker can trigger a buffer over-read on the heap of 5 bytes (WOLFSSL_CALLBACKS is only intended for debugging).<br />
Severity CVSS v4.0: Pending analysis
Last modification:
26/03/2025

CVE-2024-23830
Publication date:
20/02/2024
MantisBT is an open source issue tracker. Prior to version 2.26.1, an unauthenticated attacker who knows a user&amp;#39;s email address and username can hijack the user&amp;#39;s account by poisoning the link in the password reset notification message. A patch is available in version 2.26.1. As a workaround, define `$g_path` as appropriate in `config_inc.php`.
Severity CVSS v4.0: Pending analysis
Last modification:
18/12/2024

CVE-2024-25428
Publication date:
20/02/2024
SQL Injection vulnerability in MRCMS v3.1.2 allows attackers to run arbitrary system commands via the status parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
08/04/2025

CVE-2024-26136
Publication date:
20/02/2024
kedi ElectronCord is a bot management tool for Discord. Commit aaaeaf4e6c99893827b2eea4dd02f755e1e24041 exposes an account access token in the `config.json` file. Malicious actors could potentially exploit this vulnerability to gain unauthorized access to sensitive information or perform malicious actions on behalf of the repository owner. As of time of publication, it is unknown whether the owner of the repository has rotated the token or taken other mitigation steps aside from informing users of the situation.
Severity CVSS v4.0: Pending analysis
Last modification:
05/02/2025

CVE-2024-26140
Publication date:
20/02/2024
com.yetanalytics/lrs is the Yet Analytics Core LRS Library. Prior to version 1.2.17 of the LRS library and version 0.7.5 of SQL LRS, a maliciously crafted xAPI statement could be used to perform script or other tag injection in the LRS Statement Browser. The problem is patched in version 1.2.17 of the LRS library and version 0.7.5 of SQL LRS. No known workarounds exist.
Severity CVSS v4.0: Pending analysis
Last modification:
05/02/2025

CVE-2023-52436
Publication date:
20/02/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: explicitly null-terminate the xattr list<br /> <br /> When setting an xattr, explicitly null-terminate the xattr list. This<br /> eliminates the fragile assumption that the unused xattr space is always<br /> zeroed.
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2024
Subscribe to Vulnerabilities