Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-5692
Publication date:
05/04/2024
WordPress Core is vulnerable to Sensitive Information Exposure in versions up to, and including, 6.4.3 via the redirect_guess_404_permalink function. This can allow unauthenticated attackers to expose the slug of a custom post whose 'publicly_queryable' post status has been set to 'false'.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2023-6523
Publication date:
05/04/2024
Authorization Bypass Through User-Controlled Key vulnerability in ExtremePacs Extreme XDS allows Authentication Abuse.This issue affects Extreme XDS: before 3914.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2024-31083
Publication date:
05/04/2024
A use-after-free vulnerability was found in the ProcRenderAddGlyphs() function of Xorg servers. This issue occurs when AllocateGlyph() is called to store new glyphs sent by the client to the X server, potentially resulting in multiple entries pointing to the same non-refcounted glyphs. Consequently, ProcRenderAddGlyphs() may free a glyph, leading to a use-after-free scenario when the same glyph pointer is subsequently accessed. This flaw allows an authenticated attacker to execute arbitrary code on the system by sending a specially crafted request.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2023-6522
Publication date:
05/04/2024
Incorrect Use of Privileged APIs vulnerability in ExtremePacs Extreme XDS allows Collect Data as Provided by Users.This issue affects Extreme XDS: before 3914.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2024-21848
Publication date:
05/04/2024
Improper Access Control in Mattermost Server versions 8.1.x before 8.1.11 allows an attacker that is in a channel with an active call to keep participating in the call even if they are removed from the channel<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
13/12/2024

CVE-2024-26813
Publication date:
05/04/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> vfio/platform: Create persistent IRQ handlers<br /> <br /> The vfio-platform SET_IRQS ioctl currently allows loopback triggering of<br /> an interrupt before a signaling eventfd has been configured by the user,<br /> which thereby allows a NULL pointer dereference.<br /> <br /> Rather than register the IRQ relative to a valid trigger, register all<br /> IRQs in a disabled state in the device open path. This allows mask<br /> operations on the IRQ to nest within the overall enable state governed<br /> by a valid eventfd signal. This decouples @masked, protected by the<br /> @locked spinlock from @trigger, protected via the @igate mutex.<br /> <br /> In doing so, it&amp;#39;s guaranteed that changes to @trigger cannot race the<br /> IRQ handlers because the IRQ handler is synchronously disabled before<br /> modifying the trigger, and loopback triggering of the IRQ via ioctl is<br /> safe due to serialization with trigger changes via igate.<br /> <br /> For compatibility, request_irq() failures are maintained to be local to<br /> the SET_IRQS ioctl rather than a fatal error in the open device path.<br /> This allows, for example, a userspace driver with polling mode support<br /> to continue to work regardless of moving the request_irq() call site.<br /> This necessarily blocks all SET_IRQS access to the failed index.
Severity CVSS v4.0: Pending analysis
Last modification:
20/12/2024

CVE-2024-26814
Publication date:
05/04/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> vfio/fsl-mc: Block calling interrupt handler without trigger<br /> <br /> The eventfd_ctx trigger pointer of the vfio_fsl_mc_irq object is<br /> initially NULL and may become NULL if the user sets the trigger<br /> eventfd to -1. The interrupt handler itself is guaranteed that<br /> trigger is always valid between request_irq() and free_irq(), but<br /> the loopback testing mechanisms to invoke the handler function<br /> need to test the trigger. The triggering and setting ioctl paths<br /> both make use of igate and are therefore mutually exclusive.<br /> <br /> The vfio-fsl-mc driver does not make use of irqfds, nor does it<br /> support any sort of masking operations, therefore unlike vfio-pci<br /> and vfio-platform, the flow can remain essentially unchanged.
Severity CVSS v4.0: Pending analysis
Last modification:
27/03/2025

CVE-2024-28949
Publication date:
05/04/2024
Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 don&amp;#39;t limit the number of user preferences which allows an attacker to send a large number of user preferences potentially causing denial of service.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
12/12/2024

CVE-2024-29221
Publication date:
05/04/2024
Improper Access Control in Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 lacked proper access control in the `/api/v4/users/me/teams` endpoint allowing a team admin to get the invite ID of their team, thus allowing them to invite users, even if the "Add Members" permission was explicitly removed from team admins. <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
13/12/2024

CVE-2024-2447
Publication date:
05/04/2024
Mattermost versions 8.1.x before 8.1.11, 9.3.x before 9.3.3, 9.4.x before 9.4.4, and 9.5.x before 9.5.2 fail to authenticate the source of certain types of post actions, allowing an authenticated attacker to create posts as other users via a crafted post action.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
13/12/2024

CVE-2024-26810
Publication date:
05/04/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> vfio/pci: Lock external INTx masking ops<br /> <br /> Mask operations through config space changes to DisINTx may race INTx<br /> configuration changes via ioctl. Create wrappers that add locking for<br /> paths outside of the core interrupt code.<br /> <br /> In particular, irq_type is updated holding igate, therefore testing<br /> is_intx() requires holding igate. For example clearing DisINTx from<br /> config space can otherwise race changes of the interrupt configuration.<br /> <br /> This aligns interfaces which may trigger the INTx eventfd into two<br /> camps, one side serialized by igate and the other only enabled while<br /> INTx is configured. A subsequent patch introduces synchronization for<br /> the latter flows.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026

CVE-2024-26812
Publication date:
05/04/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> vfio/pci: Create persistent INTx handler<br /> <br /> A vulnerability exists where the eventfd for INTx signaling can be<br /> deconfigured, which unregisters the IRQ handler but still allows<br /> eventfds to be signaled with a NULL context through the SET_IRQS ioctl<br /> or through unmask irqfd if the device interrupt is pending.<br /> <br /> Ideally this could be solved with some additional locking; the igate<br /> mutex serializes the ioctl and config space accesses, and the interrupt<br /> handler is unregistered relative to the trigger, but the irqfd path<br /> runs asynchronous to those. The igate mutex cannot be acquired from the<br /> atomic context of the eventfd wake function. Disabling the irqfd<br /> relative to the eventfd registration is potentially incompatible with<br /> existing userspace.<br /> <br /> As a result, the solution implemented here moves configuration of the<br /> INTx interrupt handler to track the lifetime of the INTx context object<br /> and irq_type configuration, rather than registration of a particular<br /> trigger eventfd. Synchronization is added between the ioctl path and<br /> eventfd_signal() wrapper such that the eventfd trigger can be<br /> dynamically updated relative to in-flight interrupts or irqfd callbacks.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2026
Subscribe to Vulnerabilities