Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-45294
Publication date:
06/09/2024
The HL7 FHIR Core Artifacts repository provides the java core object handling code, with utilities (including validator), for the Fast Healthcare Interoperability Resources (FHIR) specification. Prior to version 6.3.23, XSLT transforms performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.core is being used to within a host where external clients can submit XML. This issue has been patched in release 6.3.23. No known workarounds are available.
Severity CVSS v4.0: Pending analysis
Last modification:
06/09/2024

CVE-2024-45758
Publication date:
06/09/2024
H2O.ai H2O through 3.46.0.4 allows attackers to arbitrarily set the JDBC URL, leading to deserialization attacks, file reads, and command execution. Exploitation can occur when an attacker has access to post to the ImportSQLTable URI with a JSON document containing a connection_url property with any typical JDBC Connection URL attack payload such as one that uses queryInterceptors.
Severity CVSS v4.0: Pending analysis
Last modification:
29/09/2025

CVE-2024-8509
Publication date:
06/09/2024
A vulnerability was found in Forklift Controller.  There is no verification against the authorization header except to ensure it uses bearer authentication. Without an Authorization header and some form of a Bearer token, a 401 error occurs. The presence of a token value provides a 200 response with the requested information.
Severity CVSS v4.0: Pending analysis
Last modification:
09/09/2024

CVE-2024-8517
Publication date:
06/09/2024
SPIP before 4.3.2, 4.2.16, and <br /> 4.1.18 is vulnerable to a command injection issue. A <br /> remote and unauthenticated attacker can execute arbitrary operating system commands by sending a crafted multipart file upload HTTP request.
Severity CVSS v4.0: Pending analysis
Last modification:
25/09/2025

CVE-2024-25584
Publication date:
06/09/2024
Dovecot accepts dot LF DOT LF symbol as end of DATA command. RFC requires that it should always be CR LF DOT CR LF. This causes Dovecot to convert single mail with LF DOT LF in middle, into two emails when relaying to SMTP. Dovecot will split mail with LF DOT LF into two mails. Upgrade to latest released version. No publicly available exploits are known.
Severity CVSS v4.0: Pending analysis
Last modification:
06/09/2024

CVE-2024-7599
Publication date:
06/09/2024
The Advanced Sermons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘sermon_video_embed’ parameter in all versions up to, and including, 3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
26/09/2024

CVE-2024-7622
Publication date:
06/09/2024
The Revision Manager TMC plugin for WordPress is vulnerable to unauthorized arbitrary email sending due to a missing capability check on the _a_ajaxQuickEmailTestCallback() function in all versions up to, and including, 2.8.19. This makes it possible for authenticated attackers, with subscriber-level access and above, to send emails with arbitrary content to any individual through the vulnerable web server.
Severity CVSS v4.0: Pending analysis
Last modification:
26/09/2024

CVE-2024-7611
Publication date:
06/09/2024
The Enter Addons – Ultimate Template Builder for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the &amp;#39;tag&amp;#39; attribute of the Events Card widget in all versions up to, and including, 2.1.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
08/04/2026

CVE-2024-8428
Publication date:
06/09/2024
The ForumWP – Forum &amp; Discussion Board Plugin plugin for WordPress is vulnerable to Privilege Escalation via Insecure Direct Object Reference in all versions up to, and including, 2.0.2 via the submit_form_handler due to missing validation on the &amp;#39;user_id&amp;#39; user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to change the email address of administrative user accounts which can then be leveraged to reset the administrative users password and gain access to their account.
Severity CVSS v4.0: Pending analysis
Last modification:
08/04/2026

CVE-2024-44837
Publication date:
06/09/2024
A cross-site scripting (XSS) vulnerability in the component \bean\Manager.java of Drug v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the user parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
12/09/2024

CVE-2024-6445
Publication date:
06/09/2024
Improper Limitation of a Pathname to a Restricted Directory (&amp;#39;Path Traversal&amp;#39;) vulnerability in DataFlowX Technology DataDiodeX allows Path Traversal.This issue affects DataDiodeX: from v3.0.0 before v3.1.7.
Severity CVSS v4.0: Pending analysis
Last modification:
12/09/2024

CVE-2024-7493
Publication date:
06/09/2024
The WPCOM Member plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.5.2.1. This is due to the plugin allowing arbitrary data to be passed to wp_insert_user() during registration. This makes it possible for unauthenticated attackers to update their role to that of an administrator during registration.
Severity CVSS v4.0: Pending analysis
Last modification:
08/04/2026
Subscribe to Vulnerabilities