Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-41304

Publication date:

30/07/2024

An arbitrary file upload vulnerability in the uploadFileAction() function of WonderCMS v3.4.3 allows attackers to execute arbitrary code via a crafted SVG file.

Severity CVSS v4.0: Pending analysis

Last modification:

11/04/2025

CVE-2024-41305

Publication date:

30/07/2024

A Server-Side Request Forgery (SSRF) in the Plugins Page of WonderCMS v3.4.3 allows attackers to force the application to make arbitrary requests via injection of crafted URLs into the pluginThemeUrl parameter.

Severity CVSS v4.0: Pending analysis

Last modification:

08/08/2024

CVE-2024-5486

Publication date:

30/07/2024

A vulnerability exists in ClearPass Policy Manager that allows for an attacker with administrative privileges to access sensitive information in a cleartext format. A successful exploit allows an attacker to retrieve information which could be used to potentially gain further access to network services supported by ClearPass Policy Manager

Severity CVSS v4.0: Pending analysis

Last modification:

11/09/2024

CVE-2024-7208

Publication date:

30/07/2024

A vulnerability in multi-tenant hosting allows an authenticated sender to spoof the identity of a shared, hosted domain, thus bypass security measures provided by DMARC (or SPF or DKIM) policies.

Severity CVSS v4.0: Pending analysis

Last modification:

21/11/2024

CVE-2024-7209

Publication date:

30/07/2024

A vulnerability exists in the use of shared SPF records in multi-tenant hosting providers, allowing attackers to use network authorization to be abused to spoof the email identify of the sender.

Severity CVSS v4.0: Pending analysis

Last modification:

21/11/2024

CVE-2024-7297

Publication date:

30/07/2024

Langflow versions prior to 1.0.13 suffer from a Privilege Escalation vulnerability, allowing a remote and low privileged attacker to gain super admin privileges by performing a mass assignment request on the &#39;/api/v1/users&#39; endpoint.

Severity CVSS v4.0: Pending analysis

Last modification:

24/06/2025

CVE-2023-38001

Publication date:

30/07/2024

IBM Aspera Orchestrator 4.0.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 260206.

Severity CVSS v4.0: Pending analysis

Last modification:

13/08/2024

CVE-2024-41915

Publication date:

30/07/2024

A vulnerability in the web-based management interface of ClearPass Policy Manager could allow an authenticated remote attacker to conduct SQL injection attacks against the ClearPass Policy Manager instance. An attacker could exploit this vulnerability to obtain and modify sensitive information in the underlying database potentially leading to complete compromise of the ClearPass Policy Manager cluster.

Severity CVSS v4.0: Pending analysis

Last modification:

07/04/2025

CVE-2024-41916

Publication date:

30/07/2024

Severity CVSS v4.0: Pending analysis

Last modification:

28/10/2024

CVE-2024-41944

Publication date:

30/07/2024

Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the `report/data/proofofplayReport` API route inside the CMS. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values in to the `sortBy` parameter. Users should upgrade to version 3.3.12 or 4.0.14 which fix this issue.

Severity CVSS v4.0: Pending analysis

Last modification:

31/07/2024

CVE-2023-26289

Publication date:

30/07/2024

IBM Aspera Orchestrator 4.0.1 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID: 248478.

Severity CVSS v4.0: Pending analysis

Last modification:

13/08/2024

CVE-2023-26288

Publication date:

30/07/2024

IBM Aspera Orchestrator 4.0.1 does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 248477.

Severity CVSS v4.0: Pending analysis

Last modification:

13/08/2024

Subscribe to Vulnerabilities