Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-51494

Publication date:

15/11/2024

LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. A Stored Cross-Site Scripting (XSS) vulnerability in the "Port Settings" page allows authenticated users to inject arbitrary JavaScript through the "descr" parameter when editing a device&#39;s port settings. This vulnerability can lead to the execution of malicious code when the "Port Settings" page is visited, potentially compromising the user&#39;s session and allowing unauthorized actions. This vulnerability is fixed in 24.10.0.

Severity CVSS v4.0: Pending analysis

Last modification:

20/11/2024

CVE-2024-51495

Publication date:

15/11/2024

LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. A Stored Cross-Site Scripting (XSS) vulnerability in the Device Overview page allows authenticated users to inject arbitrary JavaScript through the "overwrite_ip" parameter when editing a device. This vulnerability results in the execution of malicious code when the device overview page is visited, potentially compromising the accounts of other users. This vulnerability is fixed in 24.10.0.

Severity CVSS v4.0: Pending analysis

Last modification:

20/11/2024

CVE-2024-51496

Publication date:

15/11/2024

LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. A Reflected Cross-Site Scripting (XSS) vulnerability in the "metric" parameter of the "/wireless" and "/health" endpoints allows attackers to inject arbitrary JavaScript. This vulnerability results in the execution of malicious code when a user accesses the page with a malicious "metric" parameter, potentially compromising their session and allowing unauthorized actions. This vulnerability is fixed in 24.10.0.

Severity CVSS v4.0: Pending analysis

Last modification:

21/11/2024

CVE-2024-51497

Publication date:

15/11/2024

LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. A Stored Cross-Site Scripting (XSS) vulnerability in the "Custom OID" tab of a device allows authenticated users to inject arbitrary JavaScript through the "unit" parameter when creating a new OID. This vulnerability can lead to the execution of malicious code in the context of other users&#39; sessions, compromising their accounts and enabling unauthorized actions. This vulnerability is fixed in 24.10.0.

Severity CVSS v4.0: Pending analysis

Last modification:

20/11/2024

CVE-2024-50355

Publication date:

15/11/2024

LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. User with Admin role can edit the Display Name of a device, the application did not properly sanitize the user input in the device Display Name, if java script code is inside the name of the device Display Name, its can be trigger from different sources. This vulnerability is fixed in 24.10.0.

Severity CVSS v4.0: Pending analysis

Last modification:

20/11/2024

CVE-2024-50648

Publication date:

15/11/2024

yshopmall V1.0 has an arbitrary file upload vulnerability, which can enable RCE or even take over the server when improperly configured to parse JSP files.

Severity CVSS v4.0: Pending analysis

Last modification:

17/06/2025

CVE-2024-50649

Publication date:

15/11/2024

The user avatar upload function in python_book V1.0 has an arbitrary file upload vulnerability.

Severity CVSS v4.0: Pending analysis

Last modification:

17/06/2025

CVE-2024-50650

Publication date:

15/11/2024

python_book V1.0 is vulnerable to Incorrect Access Control, which allows attackers to obtain sensitive information of users with different IDs by modifying the ID parameter.

Severity CVSS v4.0: Pending analysis

Last modification:

17/06/2025

CVE-2024-50651

Publication date:

15/11/2024

java_shop 1.0 is vulnerable to Incorrect Access Control, which allows attackers to obtain sensitive information of users with different IDs by modifying the ID parameter.

Severity CVSS v4.0: Pending analysis

Last modification:

27/11/2024

CVE-2024-50652

Publication date:

15/11/2024

A file upload vulnerability in java_shop 1.0 allows attackers to upload arbitrary files by modifying the avatar function.

Severity CVSS v4.0: Pending analysis

Last modification:

22/11/2024

CVE-2024-50647

Publication date:

15/11/2024

The python_food ordering system V1.0 has an unauthorized vulnerability that leads to the leakage of sensitive user information. Attackers can access it through https://ip:port/api/myapp/index/user/info?id=1 And modify the ID value to obtain sensitive user information beyond authorization.

Severity CVSS v4.0: Pending analysis

Last modification:

15/04/2026