Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-9164
Publication date:
11/10/2024
An issue was discovered in GitLab EE affecting all versions starting from 12.5 prior to 17.2.9, starting from 17.3, prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows running pipelines on arbitrary branches.
Severity CVSS v4.0: Pending analysis
Last modification:
13/12/2024

CVE-2024-9211
Publication date:
11/10/2024
The FULL – Cliente plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 3.1.22. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity CVSS v4.0: Pending analysis
Last modification:
15/10/2024

CVE-2024-45316
Publication date:
11/10/2024
The Improper link resolution before file access ('Link Following') vulnerability in SonicWall Connect Tunnel (version 12.4.3.271 and earlier of Windows client) allows users with standard privileges to delete arbitrary folders and files, potentially leading to local privilege escalation attack.
Severity CVSS v4.0: Pending analysis
Last modification:
15/10/2024

CVE-2024-45317
Publication date:
11/10/2024
A Server-Side Request Forgery (SSRF) vulnerability in SMA1000 appliance firmware versions 12.4.3-02676 and earlier allows a remote, unauthenticated attacker to cause the SMA1000 server-side application to make requests to an unintended IP address.
Severity CVSS v4.0: Pending analysis
Last modification:
22/03/2025

CVE-2024-48987
Publication date:
11/10/2024
Snipe-IT before 7.0.10 allows remote code execution (associated with cookie serialization) when an attacker knows the APP_KEY. This is exacerbated by .env files, available from the product's repository, that have default APP_KEY values.
Severity CVSS v4.0: Pending analysis
Last modification:
22/05/2025

CVE-2024-5005
Publication date:
11/10/2024
An issue has been discovered discovered in GitLab EE/CE affecting all versions starting from 11.4 before 17.2.9, all versions starting from 17.3 before 17.3.5, all versions starting from 17.4 before 17.4.2 It was possible for guest users to disclose project templates using the API.
Severity CVSS v4.0: Pending analysis
Last modification:
12/12/2024

CVE-2024-6971
Publication date:
11/10/2024
A path traversal vulnerability exists in the parisneo/lollms-webui repository, specifically in the `lollms_file_system.py` file. The functions `add_rag_database`, `toggle_mount_rag_database`, and `vectorize_folder` do not implement security measures such as `sanitize_path_from_endpoint` or `sanitize_path`. This allows an attacker to perform vectorize operations on `.sqlite` files in any directory on the victim's computer, potentially installing multiple packages and causing a crash.
Severity CVSS v4.0: Pending analysis
Last modification:
15/08/2025

CVE-2024-7514
Publication date:
11/10/2024
The WordPress Comments Import &amp; Export plugin for WordPress is vulnerable to to arbitrary file read due to insufficient file path validation during the comments import process, in versions up to, and including, 2.3.7. This makes it possible for authenticated attackers, with Author-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.<br /> The issue was partially fixed in version 2.3.8 and fully fixed in 2.3.9
Severity CVSS v4.0: Pending analysis
Last modification:
15/10/2024

CVE-2023-42133
Publication date:
11/10/2024
PAX Android based POS devices allow for escalation of privilege via improperly configured scripts.<br /> <br /> An attacker must have shell access with system account privileges in order to exploit this vulnerability.<br /> A patch addressing this issue was included in firmware version PayDroid_8.1.0_Sagittarius_V11.1.61_20240226.
Severity CVSS v4.0: Pending analysis
Last modification:
15/10/2024

CVE-2024-21534
Publication date:
11/10/2024
All versions of the package jsonpath-plus are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node.<br /> <br /> **Note:**<br /> <br /> There were several attempts to fix it in versions [10.0.0-10.1.0](https://github.com/JSONPath-Plus/JSONPath/compare/v9.0.0...v10.1.0) but it could still be exploited using [different payloads](https://github.com/JSONPath-Plus/JSONPath/issues/226).
Severity CVSS v4.0: Pending analysis
Last modification:
18/11/2024

CVE-2024-45315
Publication date:
11/10/2024
The Improper link resolution before file access (&amp;#39;Link Following&amp;#39;) vulnerability in SonicWall Connect Tunnel (version 12.4.3.271 and earlier of Windows client) allows users with standard privileges to create arbitrary folders and files, potentially leading to local Denial of Service (DoS) attack.
Severity CVSS v4.0: Pending analysis
Last modification:
01/11/2024

CVE-2024-9822
Publication date:
11/10/2024
The Pedalo Connector plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.0.5. This is due to insufficient restriction on the &amp;#39;login_admin_user&amp;#39; function. This makes it possible for unauthenticated attackers to log to the first user, who is usually the administrator, or if it does not exist, then to the first administrator.
Severity CVSS v4.0: Pending analysis
Last modification:
15/11/2024
Subscribe to Vulnerabilities