Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-39298
Publication date:
06/09/2024
A missing authorization vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow local authenticated users to access data or perform actions that they should not be allowed to perform via unspecified vectors.<br /> QuTScloud, is not affected.<br /> <br /> We have already fixed the vulnerability in the following versions:<br /> QTS 5.2.0.2737 build 20240417 and later<br /> QuTS hero h5.2.0.2782 build 20240601 and later
Severity CVSS v4.0: Pending analysis
Last modification:
20/09/2024

CVE-2024-44401
Publication date:
06/09/2024
D-Link DI-8100G 17.12.20A1 is vulnerable to Command Injection via sub47A60C function in the upgrade_filter.asp file
Severity CVSS v4.0: Pending analysis
Last modification:
12/09/2024

CVE-2024-44402
Publication date:
06/09/2024
D-Link DI-8100G 17.12.20A1 is vulnerable to Command Injection via msp_info.htm.
Severity CVSS v4.0: Pending analysis
Last modification:
10/09/2024

CVE-2024-44408
Publication date:
06/09/2024
D-Link DIR-823G v1.0.2B05_20181207 is vulnerable to Information Disclosure. The device allows unauthorized configuration file downloads, and the downloaded configuration files contain plaintext user passwords.
Severity CVSS v4.0: Pending analysis
Last modification:
10/09/2024

CVE-2024-45294
Publication date:
06/09/2024
The HL7 FHIR Core Artifacts repository provides the java core object handling code, with utilities (including validator), for the Fast Healthcare Interoperability Resources (FHIR) specification. Prior to version 6.3.23, XSLT transforms performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.core is being used to within a host where external clients can submit XML. This issue has been patched in release 6.3.23. No known workarounds are available.
Severity CVSS v4.0: Pending analysis
Last modification:
06/09/2024

CVE-2024-45758
Publication date:
06/09/2024
H2O.ai H2O through 3.46.0.4 allows attackers to arbitrarily set the JDBC URL, leading to deserialization attacks, file reads, and command execution. Exploitation can occur when an attacker has access to post to the ImportSQLTable URI with a JSON document containing a connection_url property with any typical JDBC Connection URL attack payload such as one that uses queryInterceptors.
Severity CVSS v4.0: Pending analysis
Last modification:
29/09/2025

CVE-2024-8509
Publication date:
06/09/2024
A vulnerability was found in Forklift Controller.  There is no verification against the authorization header except to ensure it uses bearer authentication. Without an Authorization header and some form of a Bearer token, a 401 error occurs. The presence of a token value provides a 200 response with the requested information.
Severity CVSS v4.0: Pending analysis
Last modification:
09/09/2024

CVE-2024-8517
Publication date:
06/09/2024
SPIP before 4.3.2, 4.2.16, and <br /> 4.1.18 is vulnerable to a command injection issue. A <br /> remote and unauthenticated attacker can execute arbitrary operating system commands by sending a crafted multipart file upload HTTP request.
Severity CVSS v4.0: Pending analysis
Last modification:
25/09/2025

CVE-2024-25584
Publication date:
06/09/2024
Dovecot accepts dot LF DOT LF symbol as end of DATA command. RFC requires that it should always be CR LF DOT CR LF. This causes Dovecot to convert single mail with LF DOT LF in middle, into two emails when relaying to SMTP. Dovecot will split mail with LF DOT LF into two mails. Upgrade to latest released version. No publicly available exploits are known.
Severity CVSS v4.0: Pending analysis
Last modification:
06/09/2024

CVE-2024-7599
Publication date:
06/09/2024
The Advanced Sermons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘sermon_video_embed’ parameter in all versions up to, and including, 3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
26/09/2024

CVE-2024-7611
Publication date:
06/09/2024
The Enter Addons – Ultimate Template Builder for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the &amp;#39;tag&amp;#39; attribute of the Events Card widget in all versions up to, and including, 2.1.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
26/09/2024

CVE-2024-7622
Publication date:
06/09/2024
The Revision Manager TMC plugin for WordPress is vulnerable to unauthorized arbitrary email sending due to a missing capability check on the _a_ajaxQuickEmailTestCallback() function in all versions up to, and including, 2.8.19. This makes it possible for authenticated attackers, with subscriber-level access and above, to send emails with arbitrary content to any individual through the vulnerable web server.
Severity CVSS v4.0: Pending analysis
Last modification:
26/09/2024
Subscribe to Vulnerabilities