Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-48251
Publication date:
14/10/2024
Wavelog 1.8.5 allows Activated_gridmap_model.php get_band_confirmed SQL injection via band, sat, propagation, or mode.
Severity CVSS v4.0: Pending analysis
Last modification:
17/10/2024

CVE-2024-48257
Publication date:
14/10/2024
Wavelog 1.8.5 allows Oqrs_model.php get_worked_modes station_id SQL injectioin.
Severity CVSS v4.0: Pending analysis
Last modification:
16/10/2024

CVE-2024-7847
Publication date:
14/10/2024
VULNERABILITY DETAILS<br /> <br /> Rockwell Automation used the latest versions of the CVSS scoring system to assess the following vulnerabilities. The following vulnerabilities were reported to us by Sharon Brizinov of Claroty Research - Team82. <br /> <br /> A feature in the affected products enables users to prepare a project file with an embedded VBA script and can be configured to run once the project file has been opened without user intervention. This feature can be abused to trick a legitimate user into executing malicious code upon opening an infected RSP/RSS project file. If exploited, a threat actor may be able to perform a remote code execution. Connected devices may also be impacted by exploitation of this vulnerability.
Severity CVSS v4.0: HIGH
Last modification:
29/09/2025

CVE-2024-8602
Publication date:
14/10/2024
When the XML is read from the codes in the PDF and parsed using a DocumentBuilder, the default settings of the DocumentBuilder allow for an XXE (XML External Entity) attack. Further information on this can be found on the website of the Open Worldwide Application Security Project (OWASP). An attacker could theoretically leverage this by delivering a manipulated PDF file to the target, and depending on the environment, various actions can be executed. These actions include:<br /> <br /> * Reading files from the operating system<br /> * Crashing the thread handling the parsing or causing it to enter an infinite loop<br /> * Executing HTTP requests<br /> * Loading additional DTDs or XML files<br /> * Under certain conditions, executing OS commands
Severity CVSS v4.0: MEDIUM
Last modification:
11/12/2024

CVE-2024-9936
Publication date:
14/10/2024
When manipulating the selection node cache, an attacker may have been able to cause unexpected behavior, potentially leading to an exploitable crash. This vulnerability affects Firefox
Severity CVSS v4.0: Pending analysis
Last modification:
31/03/2025

CVE-2024-48119
Publication date:
14/10/2024
Vtiger CRM v8.2.0 has a HTML Injection vulnerability in the module parameter. Authenticated users can inject arbitrary HTML.
Severity CVSS v4.0: Pending analysis
Last modification:
30/10/2024

CVE-2024-48120
Publication date:
14/10/2024
X2CRM v8.5 is vulnerable to a stored Cross-Site Scripting (XSS) in the "Opportunities" module. An attacker can inject malicious JavaScript code into the "Name" field when creating a list.
Severity CVSS v4.0: Pending analysis
Last modification:
29/10/2024

CVE-2024-48253
Publication date:
14/10/2024
Cloudlog 2.6.15 allows Oqrs.php delete_oqrs_line id SQL injection.
Severity CVSS v4.0: Pending analysis
Last modification:
16/10/2024

CVE-2024-48255
Publication date:
14/10/2024
Cloudlog 2.6.15 allows Oqrs.php get_station_info station_id SQL injection.
Severity CVSS v4.0: Pending analysis
Last modification:
16/10/2024

CVE-2024-43701
Publication date:
14/10/2024
Software installed and run as a non-privileged user may conduct GPU system calls to read and write freed physical memory from the GPU.
Severity CVSS v4.0: Pending analysis
Last modification:
15/10/2024

CVE-2024-46911
Publication date:
14/10/2024
Cross-site Resource Forgery (CSRF), Privilege escalation vulnerability in Apache Roller. On multi-blog/user Roller websites, by default weblog owners are trusted to publish arbitrary weblog content and this combined with a deficiency in Roller&amp;#39;s CSRF protections allowed an escalation of privileges attack. This issue affects Apache Roller before 6.1.4.<br /> <br /> Roller users who run multi-blog/user Roller websites are recommended to upgrade to version 6.1.4, which fixes the issue.<br /> <br /> Roller 6.1.4 release announcement:  https://lists.apache.org/thread/3c3f6rwqptyw6wdc95654fq5vlosqdpw
Severity CVSS v4.0: Pending analysis
Last modification:
27/05/2025

CVE-2024-9137
Publication date:
14/10/2024
The affected product lacks an authentication check when sending commands to the server via the Moxa service. This vulnerability allows an attacker to execute specified commands, potentially leading to unauthorized downloads or uploads of configuration files and system compromise.
Severity CVSS v4.0: HIGH
Last modification:
17/01/2025
Subscribe to Vulnerabilities