Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-32111
Publication date:
25/06/2024
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Automattic WordPress allows Relative Path Traversal.This issue affects WordPress: from 6.5 through 6.5.4, from 6.4 through 6.4.4, from 6.3 through 6.3.4, from 6.2 through 6.2.5, from 6.1 through 6.1.6, from 6.0 through 6.0.8, from 5.9 through 5.9.9, from 5.8 through 5.8.9, from 5.7 through 5.7.11, from 5.6 through 5.6.13, from 5.5 through 5.5.14, from 5.4 through 5.4.15, from 5.3 through 5.3.17, from 5.2 through 5.2.20, from 5.1 through 5.1.18, from 5.0 through 5.0.21, from 4.9 through 4.9.25, from 4.8 through 4.8.24, from 4.7 through 4.7.28, from 4.6 through 4.6.28, from 4.5 through 4.5.31, from 4.4 through 4.4.32, from 4.3 through 4.3.33, from 4.2 through 4.2.37, from 4.1 through 4.1.40.
Severity CVSS v4.0: Pending analysis
Last modification:
25/06/2024

CVE-2024-21827
Publication date:
25/06/2024
A leftover debug code vulnerability exists in the cli_server debug functionality of Tp-Link ER7206 Omada Gigabit VPN Router 1.4.1 Build 20240117 Rel.57421. A specially crafted series of network requests can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2025

CVE-2024-6301
Publication date:
25/06/2024
Lack of validation of origin in federation API in Conduit, allowing any remote server to impersonate any user from any server in most EDUs
Severity CVSS v4.0: Pending analysis
Last modification:
20/09/2024

CVE-2024-6302
Publication date:
25/06/2024
Lack of privilege checking when processing a redaction in Conduit versions v0.6.0 and lower, allowing a local user to redact any message from users on the same server, given that they are able to send redaction events.
Severity CVSS v4.0: Pending analysis
Last modification:
20/09/2024

CVE-2024-6303
Publication date:
25/06/2024
Missing authorization in Client-Server API in Conduit
Severity CVSS v4.0: Pending analysis
Last modification:
20/09/2024

CVE-2024-4846
Publication date:
25/06/2024
Authentication bypass in the 2FA feature in Devolutions Server 2024.1.14.0 and earlier allows an authenticated attacker to authenticate to another user without being asked for the 2FA via another browser tab.
Severity CVSS v4.0: Pending analysis
Last modification:
28/03/2025

CVE-2024-6299
Publication date:
25/06/2024
Lack of consideration of key expiry when validating signatures in Conduit, allowing an attacker which has compromised an expired key to forge requests as the remote server, as well as PDUs with timestamps past the expiry date
Severity CVSS v4.0: Pending analysis
Last modification:
20/09/2024

CVE-2024-6300
Publication date:
25/06/2024
Incomplete cleanup when performing redactions in Conduit, allowing an attacker to check whether certain strings were present in the PDU before redaction
Severity CVSS v4.0: Pending analysis
Last modification:
20/09/2024

CVE-2024-5261
Publication date:
25/06/2024
Improper Certificate Validation vulnerability in LibreOffice "LibreOfficeKit" mode disables TLS certification verification<br /> <br /> LibreOfficeKit can be used for accessing LibreOffice functionality <br /> through C/C++. Typically this is used by third party components to reuse<br /> LibreOffice as a library to convert, view or otherwise interact with <br /> documents.<br /> <br /> LibreOffice internally makes use of "curl" to fetch remote resources such as images hosted on webservers.<br /> <br /> In<br /> affected versions of LibreOffice, when used in LibreOfficeKit mode <br /> only, then curl&amp;#39;s TLS certification verification was disabled <br /> (CURLOPT_SSL_VERIFYPEER of false)<br /> <br /> In the fixed versions curl operates in LibreOfficeKit mode the same as in standard mode with CURLOPT_SSL_VERIFYPEER of true.<br /> <br /> This issue affects LibreOffice before version 24.2.4.
Severity CVSS v4.0: CRITICAL
Last modification:
23/12/2025

CVE-2024-31111
Publication date:
25/06/2024
Improper Neutralization of Input During Web Page Generation (XSS or &amp;#39;Cross-site Scripting&amp;#39;) vulnerability in Automattic WordPress allows Stored XSS.This issue affects WordPress: from 6.5 through 6.5.4, from 6.4 through 6.4.4, from 6.3 through 6.3.4, from 6.2 through 6.2.5, from 6.1 through 6.1.6, from 6.0 through 6.0.8, from 5.9 through 5.9.9.
Severity CVSS v4.0: Pending analysis
Last modification:
25/06/2024

CVE-2024-28831
Publication date:
25/06/2024
Stored XSS in some confirmation pop-ups in Checkmk before versions 2.3.0p7 and 2.2.0p28 allows Checkmk users to execute arbitrary scripts by injecting HTML elements into some user input fields that are shown in a confirmation pop-up.
Severity CVSS v4.0: Pending analysis
Last modification:
04/12/2024

CVE-2024-28832
Publication date:
25/06/2024
Stored XSS in the Crash Report page in Checkmk before versions 2.3.0p7, 2.2.0p28, 2.1.0p45, and 2.0.0 (EOL) allows users with permission to change Global Settings to execute arbitrary scripts by injecting HTML elements into the Crash Report URL in the Global Settings.
Severity CVSS v4.0: Pending analysis
Last modification:
04/12/2024
Subscribe to Vulnerabilities