Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-2756
Publication date:
29/04/2024
Due to an incomplete fix to CVE-2022-31629 https://github.com/advisories/GHSA-c43m-486j-j32p , network and same-site attackers can set a standard insecure cookie in the victim's browser which is treated as a __Host- or __Secure- cookie by PHP applications.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2024-4298
Publication date:
29/04/2024
The email search interface of HGiga iSherlock (including MailSherlock, SpamSherock, AuditSherlock) fails to filter special characters in certain function parameters, allowing remote attackers with administrative privileges to exploit this vulnerability for Command Injection attacks, enabling execution of arbitrary system commands.
Severity CVSS v4.0: Pending analysis
Last modification:
26/01/2026

CVE-2024-4297
Publication date:
29/04/2024
The system configuration interface of HGiga iSherlock (including MailSherlock, SpamSherlock, AuditSherlock) fails to filter special characters in certain function parameters, allowing remote attackers with administrative privileges to exploit this vulnerability to download arbitrary system files.
Severity CVSS v4.0: Pending analysis
Last modification:
26/01/2026

CVE-2024-4296
Publication date:
29/04/2024
The account management interface of HGiga iSherlock (including MailSherlock, SpamSherlock, AuditSherlock) fails to filter special characters in certain function parameters, allowing remote attackers with administrative privileges to exploit this vulnerability to download arbitrary system files.
Severity CVSS v4.0: Pending analysis
Last modification:
26/01/2026

CVE-2024-33903
Publication date:
29/04/2024
In CARLA through 0.9.15.2, the collision sensor mishandles some situations involving pedestrians or bicycles, in part because the collision sensor function is not exposed to the Blueprint library.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2024-33899
Publication date:
29/04/2024
RARLAB WinRAR before 7.00, on Linux and UNIX platforms, allows attackers to spoof the screen output, or cause a denial of service, via ANSI escape sequences.
Severity CVSS v4.0: Pending analysis
Last modification:
20/06/2025

CVE-2024-33891
Publication date:
28/04/2024
Delinea Secret Server before 11.7.000001 allows attackers to bypass authentication via the SOAP API in SecretServer/webservices/SSWebService.asmx. This is related to a hardcoded key, the use of the integer 2 for the Admin user, and removal of the oauthExpirationId attribute.
Severity CVSS v4.0: Pending analysis
Last modification:
28/10/2025

CVE-2024-33331
Publication date:
28/04/2024
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2024-33891. Reason: This candidate is a reservation duplicate of CVE-2024-33891. Notes: All CVE users should reference CVE-2024-33891 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.
Severity CVSS v4.0: Pending analysis
Last modification:
28/04/2024

CVE-2024-33883
Publication date:
28/04/2024
The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2022-48664
Publication date:
28/04/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: fix hang during unmount when stopping a space reclaim worker<br /> <br /> Often when running generic/562 from fstests we can hang during unmount,<br /> resulting in a trace like this:<br /> <br /> Sep 07 11:52:00 debian9 unknown: run fstests generic/562 at 2022-09-07 11:52:00<br /> Sep 07 11:55:32 debian9 kernel: INFO: task umount:49438 blocked for more than 120 seconds.<br /> Sep 07 11:55:32 debian9 kernel: Not tainted 6.0.0-rc2-btrfs-next-122 #1<br /> Sep 07 11:55:32 debian9 kernel: "echo 0 &gt; /proc/sys/kernel/hung_task_timeout_secs" disables this message.<br /> Sep 07 11:55:32 debian9 kernel: task:umount state:D stack: 0 pid:49438 ppid: 25683 flags:0x00004000<br /> Sep 07 11:55:32 debian9 kernel: Call Trace:<br /> Sep 07 11:55:32 debian9 kernel: <br /> Sep 07 11:55:32 debian9 kernel: __schedule+0x3c8/0xec0<br /> Sep 07 11:55:32 debian9 kernel: ? rcu_read_lock_sched_held+0x12/0x70<br /> Sep 07 11:55:32 debian9 kernel: schedule+0x5d/0xf0<br /> Sep 07 11:55:32 debian9 kernel: schedule_timeout+0xf1/0x130<br /> Sep 07 11:55:32 debian9 kernel: ? lock_release+0x224/0x4a0<br /> Sep 07 11:55:32 debian9 kernel: ? lock_acquired+0x1a0/0x420<br /> Sep 07 11:55:32 debian9 kernel: ? trace_hardirqs_on+0x2c/0xd0<br /> Sep 07 11:55:32 debian9 kernel: __wait_for_common+0xac/0x200<br /> Sep 07 11:55:32 debian9 kernel: ? usleep_range_state+0xb0/0xb0<br /> Sep 07 11:55:32 debian9 kernel: __flush_work+0x26d/0x530<br /> Sep 07 11:55:32 debian9 kernel: ? flush_workqueue_prep_pwqs+0x140/0x140<br /> Sep 07 11:55:32 debian9 kernel: ? trace_clock_local+0xc/0x30<br /> Sep 07 11:55:32 debian9 kernel: __cancel_work_timer+0x11f/0x1b0<br /> Sep 07 11:55:32 debian9 kernel: ? close_ctree+0x12b/0x5b3 [btrfs]<br /> Sep 07 11:55:32 debian9 kernel: ? __trace_bputs+0x10b/0x170<br /> Sep 07 11:55:32 debian9 kernel: close_ctree+0x152/0x5b3 [btrfs]<br /> Sep 07 11:55:32 debian9 kernel: ? evict_inodes+0x166/0x1c0<br /> Sep 07 11:55:32 debian9 kernel: generic_shutdown_super+0x71/0x120<br /> Sep 07 11:55:32 debian9 kernel: kill_anon_super+0x14/0x30<br /> Sep 07 11:55:32 debian9 kernel: btrfs_kill_super+0x12/0x20 [btrfs]<br /> Sep 07 11:55:32 debian9 kernel: deactivate_locked_super+0x2e/0xa0<br /> Sep 07 11:55:32 debian9 kernel: cleanup_mnt+0x100/0x160<br /> Sep 07 11:55:32 debian9 kernel: task_work_run+0x59/0xa0<br /> Sep 07 11:55:32 debian9 kernel: exit_to_user_mode_prepare+0x1a6/0x1b0<br /> Sep 07 11:55:32 debian9 kernel: syscall_exit_to_user_mode+0x16/0x40<br /> Sep 07 11:55:32 debian9 kernel: do_syscall_64+0x48/0x90<br /> Sep 07 11:55:32 debian9 kernel: entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> Sep 07 11:55:32 debian9 kernel: RIP: 0033:0x7fcde59a57a7<br /> Sep 07 11:55:32 debian9 kernel: RSP: 002b:00007ffe914217c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6<br /> Sep 07 11:55:32 debian9 kernel: RAX: 0000000000000000 RBX: 00007fcde5ae8264 RCX: 00007fcde59a57a7<br /> Sep 07 11:55:32 debian9 kernel: RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000055b57556cdd0<br /> Sep 07 11:55:32 debian9 kernel: RBP: 000055b57556cba0 R08: 0000000000000000 R09: 00007ffe91420570<br /> Sep 07 11:55:32 debian9 kernel: R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000<br /> Sep 07 11:55:32 debian9 kernel: R13: 000055b57556cdd0 R14: 000055b57556ccb8 R15: 0000000000000000<br /> Sep 07 11:55:32 debian9 kernel: <br /> <br /> What happens is the following:<br /> <br /> 1) The cleaner kthread tries to start a transaction to delete an unused<br /> block group, but the metadata reservation can not be satisfied right<br /> away, so a reservation ticket is created and it starts the async<br /> metadata reclaim task (fs_info-&gt;async_reclaim_work);<br /> <br /> 2) Writeback for all the filler inodes with an i_size of 2K starts<br /> (generic/562 creates a lot of 2K files with the goal of filling<br /> metadata space). We try to create an inline extent for them, but we<br /> fail when trying to insert the inline extent with -ENOSPC (at<br /> cow_file_range_inline()) - since this is not critical, we fallback<br /> to non-inline mode (back to cow_file_range()), reserve extents<br /> ---truncated---
Severity CVSS v4.0: Pending analysis
Last modification:
26/09/2025

CVE-2022-48665
Publication date:
28/04/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> exfat: fix overflow for large capacity partition<br /> <br /> Using int type for sector index, there will be overflow in a large<br /> capacity partition.<br /> <br /> For example, if storage with sector size of 512 bytes and partition<br /> capacity is larger than 2TB, there will be overflow.
Severity CVSS v4.0: Pending analysis
Last modification:
19/09/2025

CVE-2022-48666
Publication date:
28/04/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: core: Fix a use-after-free<br /> <br /> There are two .exit_cmd_priv implementations. Both implementations use<br /> resources associated with the SCSI host. Make sure that these resources are<br /> still available when .exit_cmd_priv is called by waiting inside<br /> scsi_remove_host() until the tag set has been freed.<br /> <br /> This commit fixes the following use-after-free:<br /> <br /> ==================================================================<br /> BUG: KASAN: use-after-free in srp_exit_cmd_priv+0x27/0xd0 [ib_srp]<br /> Read of size 8 at addr ffff888100337000 by task multipathd/16727<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x34/0x44<br /> print_report.cold+0x5e/0x5db<br /> kasan_report+0xab/0x120<br /> srp_exit_cmd_priv+0x27/0xd0 [ib_srp]<br /> scsi_mq_exit_request+0x4d/0x70<br /> blk_mq_free_rqs+0x143/0x410<br /> __blk_mq_free_map_and_rqs+0x6e/0x100<br /> blk_mq_free_tag_set+0x2b/0x160<br /> scsi_host_dev_release+0xf3/0x1a0<br /> device_release+0x54/0xe0<br /> kobject_put+0xa5/0x120<br /> device_release+0x54/0xe0<br /> kobject_put+0xa5/0x120<br /> scsi_device_dev_release_usercontext+0x4c1/0x4e0<br /> execute_in_process_context+0x23/0x90<br /> device_release+0x54/0xe0<br /> kobject_put+0xa5/0x120<br /> scsi_disk_release+0x3f/0x50<br /> device_release+0x54/0xe0<br /> kobject_put+0xa5/0x120<br /> disk_release+0x17f/0x1b0<br /> device_release+0x54/0xe0<br /> kobject_put+0xa5/0x120<br /> dm_put_table_device+0xa3/0x160 [dm_mod]<br /> dm_put_device+0xd0/0x140 [dm_mod]<br /> free_priority_group+0xd8/0x110 [dm_multipath]<br /> free_multipath+0x94/0xe0 [dm_multipath]<br /> dm_table_destroy+0xa2/0x1e0 [dm_mod]<br /> __dm_destroy+0x196/0x350 [dm_mod]<br /> dev_remove+0x10c/0x160 [dm_mod]<br /> ctl_ioctl+0x2c2/0x590 [dm_mod]<br /> dm_ctl_ioctl+0x5/0x10 [dm_mod]<br /> __x64_sys_ioctl+0xb4/0xf0<br /> dm_ctl_ioctl+0x5/0x10 [dm_mod]<br /> __x64_sys_ioctl+0xb4/0xf0<br /> do_syscall_64+0x3b/0x90<br /> entry_SYSCALL_64_after_hwframe+0x46/0xb0
Severity CVSS v4.0: Pending analysis
Last modification:
20/03/2025
Subscribe to Vulnerabilities