Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-38506

Publication date:

21/06/2024

Joplin is a free, open source note taking and to-do application. A Cross-site Scripting (XSS) vulnerability allows pasting untrusted data into the rich text editor to execute arbitrary code. HTML pasted into the rich text editor is not sanitized (or not sanitized properly). As such, the `onload` attribute of pasted images can execute arbitrary code. Because the TinyMCE editor frame does not use the `sandbox` attribute, such scripts can access NodeJS&#39;s `require` through the `top` variable. From this, an attacker can run arbitrary commands. This issue has been addressed in version 2.12.10 and users are advised to upgrade. There are no known workarounds for this vulnerability.

Severity CVSS v4.0: Pending analysis

Last modification:

11/04/2025

CVE-2023-39517

Publication date:

21/06/2024

Joplin is a free, open source note taking and to-do application. A Cross site scripting (XSS) vulnerability in affected versions allows clicking on an untrusted image link to execute arbitrary shell commands. The HTML sanitizer (`packages/renderer/htmlUtils.ts::sanitizeHtml`) preserves `` `` links. However, unlike `` links, the `target` and `href` attributes are not removed. Additionally, because the note preview pane isn&#39;t sandboxed to prevent top navigation, links with `target` set to `_top` can replace the toplevel electron page. Because any toplevel electron page, with Joplin&#39;s setup, has access to `require` and can require node libraries, a malicious replacement toplevel page can import `child_process` and execute arbitrary shell commands. This issue has been fixed in commit 7c52c3e9a81a52ef1b42a951f9deb9d378d59b0f which is included in release version 2.12.8. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Severity CVSS v4.0: Pending analysis

Last modification:

26/09/2024

CVE-2023-45673

Publication date:

21/06/2024

Joplin is a free, open source note taking and to-do application. A remote code execution (RCE) vulnerability in affected versions allows clicking on a link in a PDF in an untrusted note to execute arbitrary shell commands. Clicking links in PDFs allows for arbitrary code execution because Joplin desktop: 1. has not disabled top redirection for note viewer iframes, and 2. and has node integration enabled. This is a remote code execution vulnerability that impacts anyone who attaches untrusted PDFs to notes and has the icon enabled. This issue has been addressed in version 2.13.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Severity CVSS v4.0: Pending analysis

Last modification:

11/04/2025

CVE-2023-37898

Publication date:

21/06/2024

Joplin is a free, open source note taking and to-do application. A Cross-site Scripting (XSS) vulnerability allows an untrusted note opened in safe mode to execute arbitrary code. `packages/renderer/MarkupToHtml.ts` renders note content in safe mode by surrounding it with and , without escaping any interior HTML tags. Thus, an attacker can create a note that closes the opening tag, then includes HTML that runs JavaScript. Because the rendered markdown iframe has the same origin as the toplevel document and is not sandboxed, any scripts running in the preview iframe can access the top variable and, thus, access the toplevel NodeJS `require` function. `require` can then be used to import modules like fs or child_process and run arbitrary commands. This issue has been addressed in version 2.12.9 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

Severity CVSS v4.0: Pending analysis

Last modification:

11/04/2025

CVE-2020-27352

Publication date:

21/06/2024

When generating the systemd service units for the docker snap (and other similar snaps), snapd does not specify Delegate=yes - as a result systemd will move processes from the containers created and managed by these snaps into the cgroup of the main daemon within the snap itself when reloading system units. This may grant additional privileges to a container within the snap that were not originally intended.

Severity CVSS v4.0: Pending analysis

Last modification:

26/08/2025

CVE-2024-37673

Publication date:

21/06/2024

Cross Site Scripting vulnerability in Tessi Docubase Document Management product 5.x allows a remote attacker to execute arbitrary code via the filename parameter.

Severity CVSS v4.0: Pending analysis

Last modification:

03/07/2024

CVE-2024-37675

Publication date:

21/06/2024

Cross Site Scripting vulnerability in Tessi Docubase Document Management product 5.x allows a remote attacker to execute arbitrary code via the parameter "sectionContent" related to the functionality of adding notes to an uploaded file.

Severity CVSS v4.0: Pending analysis

Last modification:

18/03/2025

CVE-2024-6241

Publication date:

21/06/2024

A vulnerability was found in Pear Admin Boot up to 2.0.2 and classified as critical. This issue affects the function getDictItems of the file /system/dictData/getDictItems/. The manipulation with the input ,user(),1,1 leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-269375.

Severity CVSS v4.0: Pending analysis

Last modification:

24/06/2024

CVE-2024-35537

Publication date:

21/06/2024

TVS Motor Company Limited TVS Connect Android v4.6.0 and IOS v5.0.0 was discovered to insecurely handle the RSA key pair, allowing attackers to possibly access sensitive information via decryption.

Severity CVSS v4.0: Pending analysis

Last modification:

13/03/2025

CVE-2024-37671

Publication date:

21/06/2024

Cross Site Scripting vulnerability in Tessi Docubase Document Management product 5.x allows a remote attacker to execute arbitrary code via the page parameter.

Severity CVSS v4.0: Pending analysis

Last modification:

14/03/2025

CVE-2024-37672

Publication date:

21/06/2024

Cross Site Scripting vulnerability in Tessi Docubase Document Management product 5.x allows a remote attacker to execute arbitrary code via the idactivity parameter.

Severity CVSS v4.0: Pending analysis

Last modification:

29/10/2024

CVE-2024-35781

Publication date:

21/06/2024

Improper Limitation of a Pathname to a Restricted Directory (&#39;Path Traversal&#39;) vulnerability in YAHMAN Word Balloon allows PHP Local File Inclusion.This issue affects Word Balloon: from n/a through 4.21.1.

Severity CVSS v4.0: Pending analysis

Last modification:

24/06/2024

Subscribe to Vulnerabilities