Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-11991

Publication date:

09/12/2024

Motoko&#39;s incremental garbage collector is impacted by an uninitialized memory access bug, caused by incorrect use of write barriers in a few locations. This vulnerability could potentially allow unauthorized read or write access to a Canister&#39;s memory. However, exploiting this bug requires the Canister to enable the incremental garbage collector or enhanced orthogonal persistence, which are non-default features in Motoko.

Severity CVSS v4.0: Pending analysis

Last modification:

08/12/2025

CVE-2023-7298

Publication date:

09/12/2024

A maliciously crafted FBX file, when parsed through Autodesk FBX SDK, may force an Out-of-Bounds Write vulnerability. A malicious actor may leverage this vulnerability to cause a crash, cause data corruption, or execute arbitrary code in the context of the current process.

Severity CVSS v4.0: Pending analysis

Last modification:

18/08/2025

CVE-2024-54936

Publication date:

09/12/2024

A Stored Cross-Site Scripting (XSS) vulnerability was found in /send_message.php of Kashipara E-learning Management System v1.0. This vulnerability allows remote attackers to execute arbitrary scripts via the my_message parameter.

Severity CVSS v4.0: Pending analysis

Last modification:

10/12/2024

CVE-2024-54937

Publication date:

09/12/2024

A Directory Listing issue was found in Kashipara E-Learning Management System v1.0, which allows remote attackers to access sensitive files and directories via /admin/assets.

Severity CVSS v4.0: Pending analysis

Last modification:

20/03/2025

CVE-2024-8259

Publication date:

09/12/2024

Improper Neutralization of Special Elements used in an SQL Command (&#39;SQL Injection&#39;) vulnerability in Eryaz Information Technologies NatraCar B2B Dealer Management Program allows SQL Injection.This issue affects NatraCar B2B Dealer Management Program: through 09.12.2024. NOTE: The vendor was contacted and it was learned that the product is not supported.

Severity CVSS v4.0: Pending analysis

Last modification:

13/12/2024

CVE-2024-53814

Publication date:

09/12/2024

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Analytify.This issue affects Analytify: from n/a through 5.4.3.

Severity CVSS v4.0: Pending analysis

Last modification:

09/06/2025

CVE-2024-53947

Publication date:

09/12/2024

Improper Neutralization of Special Elements used in an SQL Command (&#39;SQL Injection&#39;) vulnerability in Apache Superset. Specifically, certain engine-specific functions are not checked, which allows attackers to bypass Apache Superset&#39;s SQL authorization. This issue is a follow-up to CVE-2024-39887 with additional disallowed PostgreSQL functions now included: query_to_xml_and_xmlschema, table_to_xml, table_to_xml_and_xmlschema. This issue affects Apache Superset:

Severity CVSS v4.0: LOW

Last modification:

15/07/2025

CVE-2024-53948

Publication date:

09/12/2024

Generation of Error Message Containing analytics metadata Information in Apache Superset. This issue affects Apache Superset: before 4.1.0. Users are recommended to upgrade to version 4.1.0, which fixes the issue.

Severity CVSS v4.0: MEDIUM

Last modification:

11/02/2025

CVE-2024-53949

Publication date:

09/12/2024

Improper Authorization vulnerability in Apache Superset when FAB_ADD_SECURITY_API is enabled (disabled by default). Allows for lower privilege users to use this API. issue affects Apache Superset: from 2.0.0 before 4.1.0. Users are recommended to upgrade to version 4.1.0, which fixes the issue.

Severity CVSS v4.0: HIGH

Last modification:

12/02/2025

CVE-2024-54218

Publication date:

09/12/2024

Missing Authorization vulnerability in Thehp AIO Contact.This issue affects AIO Contact: from n/a through 2.8.1.

Severity CVSS v4.0: Pending analysis

Last modification:

09/12/2024

CVE-2024-54929

Publication date:

09/12/2024

KASHIPARA E-learning Management System v1.0 is vulnerable to SQL Injection in /admin/delete_subject.php.

Severity CVSS v4.0: Pending analysis

Last modification:

18/03/2025

CVE-2024-52385

Publication date:

09/12/2024

Improper Control of Filename for Include/Require Statement in PHP Program (&#39;PHP Remote File Inclusion&#39;) vulnerability in Sk. Abul Hasan Team Member.This issue affects Team Member: from n/a through 7.3.

Severity CVSS v4.0: Pending analysis

Last modification:

09/12/2024

Subscribe to Vulnerabilities