Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-32470
Publication date:
18/04/2024
Tolgee is an open-source localization platform. When API key created by admin user is used it bypasses the permission check at all. This error was introduced in v3.57.2 and immediately fixed in v3.57.4.
Severity CVSS v4.0: Pending analysis
Last modification:
11/09/2025

CVE-2024-28185
Publication date:
18/04/2024
Judge0 is an open-source online code execution system. The application does not account for symlinks placed inside the sandbox directory, which can be leveraged by an attacker to write to arbitrary files and gain code execution outside of the sandbox. When executing a submission, Judge0 writes a `run_script` to the sandbox directory. The security issue is that an attacker can create a symbolic link (symlink) at the path `run_script` before this code is executed, resulting in the `f.write` writing to an arbitrary file on the unsandboxed system. An attacker can leverage this vulnerability to overwrite scripts on the system and gain code execution outside of the sandbox.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
18/04/2024

CVE-2024-28189
Publication date:
18/04/2024
Judge0 is an open-source online code execution system. The application uses the UNIX chown command on an untrusted file within the sandbox. An attacker can abuse this by creating a symbolic link (symlink) to a file outside the sandbox, allowing the attacker to run chown on arbitrary files outside of the sandbox. This vulnerability is not impactful on it&amp;#39;s own, but it can be used to bypass the patch for CVE-2024-28185 and obtain a complete sandbox escape. This vulnerability is fixed in 1.13.1.
Severity CVSS v4.0: Pending analysis
Last modification:
18/04/2024

CVE-2024-29021
Publication date:
18/04/2024
Judge0 is an open-source online code execution system. The default configuration of Judge0 leaves the service vulnerable to a sandbox escape via Server Side Request Forgery (SSRF). This allows an attacker with sufficient access to the Judge0 API to obtain unsandboxed code execution as root on the target machine. This vulnerability is fixed in 1.13.1.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
18/04/2024

CVE-2024-2796
Publication date:
18/04/2024
A server-side request forgery (SSRF) was discovered in the Akana API Platform in versions prior to and including 2022.1.3. Reported by Jakob Antonsson.
Severity CVSS v4.0: Pending analysis
Last modification:
02/08/2024

CVE-2024-27306
Publication date:
18/04/2024
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. A XSS vulnerability exists on index pages for static file handling. This vulnerability is fixed in 3.9.4. We have always recommended using a reverse proxy server (e.g. nginx) for serving static files. Users following the recommendation are unaffected. Other users can disable `show_index` if unable to upgrade.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2024-32689
Publication date:
18/04/2024
Missing Authorization vulnerability in GenialSouls WP Social Comments.This issue affects WP Social Comments: from n/a through 1.7.3.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
18/04/2024

CVE-2024-3948
Publication date:
18/04/2024
A vulnerability was found in SourceCodester Home Clean Service System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file \admin\student.add.php of the component Photo Handler. The manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-261440.
Severity CVSS v4.0: Pending analysis
Last modification:
10/02/2025

CVE-2024-32552
Publication date:
18/04/2024
Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in Tagbox Taggbox allows Stored XSS.This issue affects Taggbox: from n/a through 3.2.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
18/04/2024

CVE-2024-32553
Publication date:
18/04/2024
Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in looks_awesome Superfly Menu allows Stored XSS.This issue affects Superfly Menu: from n/a through 5.0.25.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
18/04/2024

CVE-2024-32600
Publication date:
18/04/2024
Deserialization of Untrusted Data vulnerability in Averta Master Slider.This issue affects Master Slider: from n/a through 3.9.5.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
27/05/2025

CVE-2024-32602
Publication date:
18/04/2024
Improper Neutralization of Special Elements used in an SQL Command (&amp;#39;SQL Injection&amp;#39;) vulnerability in OnTheGoSystems WooCommerce Multilingual &amp; Multicurrency.This issue affects WooCommerce Multilingual &amp; Multicurrency: from n/a through 5.3.3.1.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
19/03/2025
Subscribe to Vulnerabilities