Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-53365
Publication date:
26/11/2024
A stored cross-site scripting (XSS) vulnerability was identified in PHPGURUKUL Vehicle Parking Management System v1.13 in /users/profile.php. This vulnerability allows authenticated users to inject malicious XSS scripts into the profile name field.
Severity CVSS v4.0: Pending analysis
Last modification:
27/03/2025

CVE-2024-53555
Publication date:
26/11/2024
A CSV injection vulnerability in Taiga v6.8.1 allows attackers to execute arbitrary code via uploading a crafted CSV file.
Severity CVSS v4.0: Pending analysis
Last modification:
26/11/2024

CVE-2024-11177
Publication date:
26/11/2024
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Severity CVSS v4.0: Pending analysis
Last modification:
26/11/2024

CVE-2024-11407
Publication date:
26/11/2024
There exists a denial of service through Data corruption in gRPC-C++ - gRPC-C++ servers with transmit zero copy enabled through the channel arg GRPC_ARG_TCP_TX_ZEROCOPY_ENABLED can experience data corruption issues. The data sent by the application may be corrupted before transmission over the network thus leading the receiver to receive an incorrect set of bytes causing RPC requests to fail. We recommend upgrading past commit e9046b2bbebc0cb7f5dc42008f807f6c7e98e791
Severity CVSS v4.0: MEDIUM
Last modification:
23/07/2025

CVE-2024-52336
Publication date:
26/11/2024
A script injection vulnerability was identified in the Tuned package. The `instance_create()` D-Bus function can be called by locally logged-in users without authentication. This flaw allows a local non-privileged user to execute a D-Bus call with `script_pre` or `script_post` options that permit arbitrary scripts with their absolute paths to be passed. These user or attacker-controlled executable scripts or programs could then be executed by Tuned with root privileges that could allow attackers to local privilege escalation.
Severity CVSS v4.0: Pending analysis
Last modification:
03/02/2025

CVE-2024-52337
Publication date:
26/11/2024
A log spoofing flaw was found in the Tuned package due to improper sanitization of some API arguments. This flaw allows an attacker to pass a controlled sequence of characters; newlines can be inserted into the log. Instead of the 'evil' the attacker could mimic a valid TuneD log line and trick the administrator. The quotes '' are usually used in TuneD logs citing raw user input, so there will always be the ' character ending the spoofed input, and the administrator can easily overlook this. This logged string is later used in logging and in the output of utilities, for example, `tuned-adm get_instances` or other third-party programs that use Tuned's D-Bus interface for such operations.
Severity CVSS v4.0: Pending analysis
Last modification:
25/02/2025

CVE-2024-22117
Publication date:
26/11/2024
When a URL is added to the map element, it is recorded in the database with sequential IDs. Upon adding a new URL, the system retrieves the last sysmapelementurlid value and increments it by one. However, an issue arises when a user manually changes the sysmapelementurlid value by adding sysmapelementurlid + 1. This action prevents others from adding URLs to the map element.
Severity CVSS v4.0: Pending analysis
Last modification:
08/10/2025

CVE-2024-36463
Publication date:
26/11/2024
The implementation of atob in "Zabbix JS" allows to create a string with arbitrary content and use it to access internal properties of objects.
Severity CVSS v4.0: Pending analysis
Last modification:
08/10/2025

CVE-2024-8236
Publication date:
26/11/2024
The Elementor Website Builder – More than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter of the Icon widget in all versions up to, and including, 3.25.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
21/04/2025

CVE-2024-9461
Publication date:
26/11/2024
The Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.16.6 via the cron_interval parameter. This is due to missing input validation and sanitization. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server.
Severity CVSS v4.0: Pending analysis
Last modification:
22/05/2025

CVE-2024-9928
Publication date:
26/11/2024
A vulnerability exists in NSD570 login panel that does not restrict excessive authentication attempts. If exploited, this could<br /> cause account takeover and unauthorized access to the system<br /> when an attacker conducts brute-force attacks against the<br /> equipment login. Note that the system supports only one concurrent session and implements a delay of more than a second<br /> between failed login attempts making it difficult to automate the<br /> attacks.
Severity CVSS v4.0: Pending analysis
Last modification:
26/11/2024

CVE-2024-9929
Publication date:
26/11/2024
A vulnerability exists in NSD570 that allows any authenticated<br /> user to access all device logs disclosing login information with<br /> timestamps.
Severity CVSS v4.0: Pending analysis
Last modification:
26/11/2024
Subscribe to Vulnerabilities