Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-46280
Publication date:
30/09/2024
PIX-LINK LV-WR22 RE3002-P1-01_V117.0 is vulnerable to Improper Access Control. The TELNET service is enabled with weak credentials for a root-level account, without the possibility of changing them.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2024-45792
Publication date:
30/09/2024
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Using a crafted POST request, an unprivileged, registered user is able to retrieve information about other users' personal system profiles. This vulnerability is fixed in 2.26.4.
Severity CVSS v4.0: MEDIUM
Last modification:
15/08/2025

CVE-2024-45920
Publication date:
30/09/2024
A Stored Cross-Site Scripting (XSS) vulnerability in Solvait 24.4.2 allows remote attackers to inject malicious scripts into the application. This issue arises due to insufficient input validation and sanitization in "Intrest" feature.
Severity CVSS v4.0: Pending analysis
Last modification:
10/07/2025

CVE-2024-47641
Publication date:
30/09/2024
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Muhammad Shakeel Confetti Fall Animation confetti-fall-animation allows Stored XSS.This issue affects Confetti Fall Animation: from n/a through
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2024-6051
Publication date:
30/09/2024
Cross Application Scripting vulnerability in Vercom S.A. Redlink SDK in specific situations allows local code injection and to manipulate the view of a vulnerable application.This issue affects Redlink SDK versions through 1.13.
Severity CVSS v4.0: MEDIUM
Last modification:
15/04/2026

CVE-2024-45772
Publication date:
30/09/2024
Deserialization of Untrusted Data vulnerability in Apache Lucene Replicator.<br /> <br /> This issue affects Apache Lucene&amp;#39;s replicator module: from 4.4.0 before 9.12.0.<br /> The deprecated org.apache.lucene.replicator.http package is affected.<br /> The org.apache.lucene.replicator.nrt package is not affected.<br /> <br /> Users are recommended to upgrade to version 9.12.0, which fixes the issue.<br /> <br /> The deserialization can only be triggered if users actively deploy an network-accessible implementation and a corresponding client using a HTTP library that uses the API (e.g., a custom servlet and HTTPClient). Java serialization filters (such as -Djdk.serialFilter=&amp;#39;!*&amp;#39; on the commandline) can mitigate the issue on vulnerable versions without impacting functionality.
Severity CVSS v4.0: Pending analysis
Last modification:
15/05/2025

CVE-2024-8457
Publication date:
30/09/2024
Certain switch models from PLANET Technology have a web application that does not properly validate specific parameters, allowing remote authenticated users with administrator privileges to inject arbitrary JavaScript, leading to Stored XSS attack.
Severity CVSS v4.0: Pending analysis
Last modification:
04/10/2024

CVE-2024-8458
Publication date:
30/09/2024
Certain switch models from PLANET Technology have a web application that is vulnerable to Cross-Site Request Forgery (CSRF). An unauthenticated remote attacker can trick a user into visiting a malicious website, allowing the attacker to impersonate the user and perform actions on their behalf, such as creating accounts.
Severity CVSS v4.0: Pending analysis
Last modification:
04/10/2024

CVE-2024-8459
Publication date:
30/09/2024
Certain switch models from PLANET Technology store SNMPv3 users&amp;#39; passwords in plaintext within the configuration files, allowing remote attackers with administrator privileges to read the file and obtain the credentials.
Severity CVSS v4.0: Pending analysis
Last modification:
04/10/2024

CVE-2024-9329
Publication date:
30/09/2024
In Eclipse Glassfish versions before 7.0.17, The Host HTTP parameter could cause the web application to redirect to the specified URL, when the requested endpoint is &amp;#39;/management/domain&amp;#39;. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.
Severity CVSS v4.0: Pending analysis
Last modification:
07/10/2024

CVE-2024-8453
Publication date:
30/09/2024
Certain switch models from PLANET Technology use an insecure hashing function to hash user passwords without being salted. Remote attackers with administrator privileges can read configuration files to obtain the hash values, and potentially crack them to retrieve the plaintext passwords.
Severity CVSS v4.0: Pending analysis
Last modification:
04/10/2024

CVE-2024-8454
Publication date:
30/09/2024
The swctrl service is used to detect and remotely manage PLANET Technology devices. Certain switch models have a Denial-of-Service vulnerability in the swctrl service, allowing unauthenticated remote attackers to send crafted packets that can crash the service.
Severity CVSS v4.0: Pending analysis
Last modification:
04/10/2024
Subscribe to Vulnerabilities