Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-3303
Publication date:
13/02/2025
An issue was discovered in GitLab EE affecting all versions starting from 16.0 prior to 17.6.5, starting from 17.7 prior to 17.7.4, and starting from 17.8 prior to 17.8.2, which allows an attacker to exfiltrate contents of a private issue using prompt injection.
Severity CVSS v4.0: Pending analysis
Last modification:
06/08/2025

CVE-2024-46910
Publication date:
13/02/2025
An authenticated user can perform XSS and potentially impersonate another user.<br /> <br /> This issue affects Apache Atlas versions 2.3.0 and earlier.<br /> <br /> Users are recommended to upgrade to version 2.4.0, which fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
14/07/2025

CVE-2024-13639
Publication date:
13/02/2025
The Read More &amp; Accordion plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the expmDeleteData() function in all versions up to, and including, 3.4.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary &amp;#39;read more&amp;#39; posts.
Severity CVSS v4.0: Pending analysis
Last modification:
18/02/2025

CVE-2025-0815
Publication date:
13/02/2025
CWE-20: Improper Input Validation vulnerability exists that could cause Denial-of-Service of the<br /> product when malicious ICMPV6 packets are sent to the device.
Severity CVSS v4.0: HIGH
Last modification:
13/02/2025

CVE-2025-0816
Publication date:
13/02/2025
CWE-20: Improper Input Validation vulnerability exists that could cause Denial-of-Service of the<br /> product when malicious IPV6 packets are sent to the device.
Severity CVSS v4.0: HIGH
Last modification:
13/02/2025

CVE-2025-0327
Publication date:
13/02/2025
CWE-269: Improper Privilege Management vulnerability exists for two services (of which one managing audit<br /> trail data and the other acting as server managing client request) that could cause a loss of Confidentiality,<br /> Integrity and Availability of engineering workstation when an attacker with standard privilege modifies the<br /> executable path of the windows services. To be exploited, services need to be restarted.
Severity CVSS v4.0: HIGH
Last modification:
13/02/2025

CVE-2025-0661
Publication date:
13/02/2025
The DethemeKit For Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.36 via the duplicate_post() function due to insufficient restrictions on which posts can be duplicated. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from password protected, private, draft, or scheduled posts that they should not have access to by duplicating the post.
Severity CVSS v4.0: Pending analysis
Last modification:
24/02/2025

CVE-2025-0814
Publication date:
13/02/2025
CWE-20: Improper Input Validation vulnerability exists that could cause Denial-of-Service of the network<br /> services running on the product when malicious IEC61850-MMS packets are sent to the device. The core<br /> functionality of the breaker remains intact during the attack.
Severity CVSS v4.0: MEDIUM
Last modification:
13/02/2025

CVE-2024-47266
Publication date:
13/02/2025
Improper limitation of a pathname to a restricted directory (&amp;#39;Path Traversal&amp;#39;) vulnerability in share file list functionality in Synology Active Backup for Business before 2.7.1-13234, 2.7.1-23234 and 2.7.1-3234 allows remote authenticated users with administrator privileges to read specific files containing non-sensitive information via unspecified vectors.
Severity CVSS v4.0: Pending analysis
Last modification:
26/02/2026

CVE-2024-47265
Publication date:
13/02/2025
Improper limitation of a pathname to a restricted directory (&amp;#39;Path Traversal&amp;#39;) vulnerability in encrypted share umount functionality in Synology Active Backup for Business before 2.7.1-13234, 2.7.1-23234 and 2.7.1-3234 allows remote authenticated users to write specific files via unspecified vectors.
Severity CVSS v4.0: Pending analysis
Last modification:
26/02/2026

CVE-2024-13346
Publication date:
13/02/2025
The Avada | Website Builder For WordPress &amp; WooCommerce theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 7.11.13. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
Severity CVSS v4.0: Pending analysis
Last modification:
24/02/2025

CVE-2024-47264
Publication date:
13/02/2025
Improper limitation of a pathname to a restricted directory (&amp;#39;Path Traversal&amp;#39;) vulnerability in agent-related functionality in Synology Active Backup for Business before 2.7.1-13234, 2.7.1-23234 and 2.7.1-3234 allows remote authenticated users with administrator privileges to delete arbitrary files via unspecified vectors.
Severity CVSS v4.0: Pending analysis
Last modification:
26/02/2026
Subscribe to Vulnerabilities