Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-41111
Publication date:
18/07/2024
Sliver is an open source cross-platform adversary emulation/red team framework, it can be used by organizations of all sizes to perform security testing. Sliver version 1.6.0 (prerelease) is vulnerable to RCE on the teamserver by a low-privileged "operator" user. The RCE is as the system root user. The exploit is pretty fun as we make the Sliver server pwn itself. As described in a past issue (#65), "there is a clear security boundary between the operator and server, an operator should not inherently be able to run commands or code on the server." An operator who exploited this vulnerability would be able to view all console logs, kick all other operators, view and modify files stored on the server, and ultimately delete the server. This issue has not yet be addressed but is expected to be resolved before the full release of version 1.6.0. Users of the 1.6.0 prerelease should avoid using Silver in production.
Severity CVSS v4.0: Pending analysis
Last modification:
19/07/2024

CVE-2024-5997
Publication date:
18/07/2024
The Duplica – Duplicate Posts, Pages, Custom Posts or Users plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the duplicate_user and duplicate_post functions in all versions up to, and including, 0.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create duplicates of users and posts/pages.
Severity CVSS v4.0: Pending analysis
Last modification:
19/07/2024

CVE-2024-6455
Publication date:
18/07/2024
The ElementsKit Elementor addons plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 3.2.0 due to a missing capability checks on ekit_widgetarea_content function. This makes it possible for unauthenticated attackers to view any item created in Elementor, such as posts, pages and templates including drafts, pending and private items.
Severity CVSS v4.0: Pending analysis
Last modification:
16/01/2025

CVE-2024-39090
Publication date:
18/07/2024
The PHPGurukul Online Shopping Portal Project version 2.0 contains a vulnerability that allows Cross-Site Request Forgery (CSRF) to lead to Stored Cross-Site Scripting (XSS). An attacker can exploit this vulnerability to execute arbitrary JavaScript code in the context of a user's session, potentially leading to account takeover.
Severity CVSS v4.0: Pending analysis
Last modification:
05/04/2025

CVE-2024-39173
Publication date:
18/07/2024
calculator-boilerplate v1.0 was discovered to contain a remote code execution (RCE) vulnerability via the eval function at /routes/calculator.js. This vulnerability allows attackers to execute arbitrary code via a crafted payload injected into the input field.
Severity CVSS v4.0: Pending analysis
Last modification:
01/08/2024

CVE-2024-30126
Publication date:
18/07/2024
HCL BigFix Compliance is affected by a missing X-Frame-Options HTTP header which can allow an attacker to create a malicious website that embeds the target website in a frame or iframe, tricking users into performing actions on the target website without their knowledge.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2025

CVE-2024-38806
Publication date:
18/07/2024
Failure to properly synchronize user&amp;#39;s permissions in UAA in Cloud Foundry Foundation v40.17.0 https://github.com/cloudfoundry/cf-deployment/releases/tag/v40.17.0 ,<br /> potentially resulting in users retaining access rights they should not <br /> have. This can allow them to perform operations beyond their intended <br /> permissions.
Severity CVSS v4.0: Pending analysis
Last modification:
19/07/2024

CVE-2024-39152
Publication date:
18/07/2024
Rejected reason: DO NOT USE THIS CVE RECORD. Consult IDs: CVE-2024-6655. Reason: This record is a reservation duplicate of CVE-2024-6655. Notes: All CVE users should reference CVE-2024-6655 instead of this record. All references and descriptions in this record have been removed to prevent accidental usage.
Severity CVSS v4.0: Pending analysis
Last modification:
18/07/2024

CVE-2024-5321
Publication date:
18/07/2024
A security issue was discovered in Kubernetes clusters with Windows nodes where BUILTIN\Users may be able to read container logs and NT AUTHORITY\Authenticated Users may be able to modify container logs.
Severity CVSS v4.0: Pending analysis
Last modification:
19/07/2024

CVE-2024-0857
Publication date:
18/07/2024
Improper Neutralization of Special Elements used in an SQL Command (&amp;#39;SQL Injection&amp;#39;) vulnerability in Universal Software Inc. FlexWater Corporate Water Management allows SQL Injection.This issue affects FlexWater Corporate Water Management: before 5.452.0.
Severity CVSS v4.0: Pending analysis
Last modification:
22/08/2024

CVE-2024-5625
Publication date:
18/07/2024
Improper Restriction of XML External Entity Reference vulnerability in PruvaSoft Informatics Apinizer Management Console allows Data Serialization External Entities Blowup.This issue affects Apinizer Management Console: before 2024.05.1.
Severity CVSS v4.0: Pending analysis
Last modification:
19/07/2024

CVE-2024-30125
Publication date:
18/07/2024
HCL BigFix Compliance server can respond with an HTTP status of 500, indicating a server-side error that may cause the server process to die.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2025
Subscribe to Vulnerabilities