Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-2953
Publication date:
22/05/2024
The LuckyWP Table of Contents plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in versions up to, and including, 2.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with Contributor permissions and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
28/05/2025

CVE-2023-6487
Publication date:
22/05/2024
The LuckyWP Table of Contents plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Header Title' field in all versions up to and including 2.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Severity CVSS v4.0: Pending analysis
Last modification:
28/05/2025

CVE-2024-0632
Publication date:
22/05/2024
The Automatic Translator with Google Translate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom font setting in all versions up to, and including, 1.5.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Severity CVSS v4.0: Pending analysis
Last modification:
22/05/2024

CVE-2024-3198
Publication date:
22/05/2024
The WP Font Awesome Share Icons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin&amp;#39;s <br /> &amp;#39;wpfai_social&amp;#39; shortcode in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
22/05/2024

CVE-2024-3663
Publication date:
22/05/2024
The WP Scraper plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wp_scraper_multi_scrape_action() function in all versions up to, and including, 5.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to create arbitrary pages and posts.
Severity CVSS v4.0: Pending analysis
Last modification:
22/05/2024

CVE-2024-3927
Publication date:
22/05/2024
The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid &amp; Carousel, Remote Arrows) plugin for WordPress is vulnerable to Form Submission Admin Email Bypass in all versions up to, and including, 5.6.3. This is due to the plugin not properly checking for all variations of an administrators emails. This makes it possible for unauthenticated attackers to bypass the restriction using a +value when submitting the contact form.
Severity CVSS v4.0: Pending analysis
Last modification:
26/02/2025

CVE-2021-47473
Publication date:
22/05/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: qla2xxx: Fix a memory leak in an error path of qla2x00_process_els()<br /> <br /> Commit 8c0eb596baa5 ("[SCSI] qla2xxx: Fix a memory leak in an error path of<br /> qla2x00_process_els()"), intended to change:<br /> <br /> bsg_job-&gt;request-&gt;msgcode == FC_BSG_HST_ELS_NOLOGIN<br /> <br /> <br /> bsg_job-&gt;request-&gt;msgcode != FC_BSG_RPT_ELS<br /> <br /> but changed it to:<br /> <br /> bsg_job-&gt;request-&gt;msgcode == FC_BSG_RPT_ELS<br /> <br /> instead.<br /> <br /> Change the == to a != to avoid leaking the fcport structure or freeing<br /> unallocated memory.
Severity CVSS v4.0: Pending analysis
Last modification:
07/01/2025

CVE-2024-1446
Publication date:
22/05/2024
The NextScripts: Social Networks Auto-Poster plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.4.3. This is due to missing or incorrect nonce validation on the nxssnap-reposter page. This makes it possible for unauthenticated attackers to delete arbitrary posts or pages via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity CVSS v4.0: Pending analysis
Last modification:
07/02/2025

CVE-2024-1762
Publication date:
22/05/2024
The NextScripts: Social Networks Auto-Poster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the HTTP_USER_AGENT header in all versions up to, and including, 4.4.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This requires the victim to select view "All Cron Events" in order for the injection to fire.
Severity CVSS v4.0: Pending analysis
Last modification:
07/02/2025

CVE-2024-2088
Publication date:
22/05/2024
The NextScripts: Social Networks Auto-Poster plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.4.3 via the &amp;#39;nxs_getExpSettings&amp;#39; function. This makes it possible for authenticated attackers, with subscriber access and above, to extract sensitive data including social network API keys and secrets.
Severity CVSS v4.0: Pending analysis
Last modification:
07/02/2025

CVE-2021-47461
Publication date:
22/05/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> userfaultfd: fix a race between writeprotect and exit_mmap()<br /> <br /> A race is possible when a process exits, its VMAs are removed by<br /> exit_mmap() and at the same time userfaultfd_writeprotect() is called.<br /> <br /> The race was detected by KASAN on a development kernel, but it appears<br /> to be possible on vanilla kernels as well.<br /> <br /> Use mmget_not_zero() to prevent the race as done in other userfaultfd<br /> operations.
Severity CVSS v4.0: Pending analysis
Last modification:
24/09/2025

CVE-2021-47462
Publication date:
22/05/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/mempolicy: do not allow illegal MPOL_F_NUMA_BALANCING | MPOL_LOCAL in mbind()<br /> <br /> syzbot reported access to unitialized memory in mbind() [1]<br /> <br /> Issue came with commit bda420b98505 ("numa balancing: migrate on fault<br /> among multiple bound nodes")<br /> <br /> This commit added a new bit in MPOL_MODE_FLAGS, but only checked valid<br /> combination (MPOL_F_NUMA_BALANCING can only be used with MPOL_BIND) in<br /> do_set_mempolicy()<br /> <br /> This patch moves the check in sanitize_mpol_flags() so that it is also<br /> used by mbind()<br /> <br /> [1]<br /> BUG: KMSAN: uninit-value in __mpol_equal+0x567/0x590 mm/mempolicy.c:2260<br /> __mpol_equal+0x567/0x590 mm/mempolicy.c:2260<br /> mpol_equal include/linux/mempolicy.h:105 [inline]<br /> vma_merge+0x4a1/0x1e60 mm/mmap.c:1190<br /> mbind_range+0xcc8/0x1e80 mm/mempolicy.c:811<br /> do_mbind+0xf42/0x15f0 mm/mempolicy.c:1333<br /> kernel_mbind mm/mempolicy.c:1483 [inline]<br /> __do_sys_mbind mm/mempolicy.c:1490 [inline]<br /> __se_sys_mbind+0x437/0xb80 mm/mempolicy.c:1486<br /> __x64_sys_mbind+0x19d/0x200 mm/mempolicy.c:1486<br /> do_syscall_x64 arch/x86/entry/common.c:51 [inline]<br /> do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> <br /> Uninit was created at:<br /> slab_alloc_node mm/slub.c:3221 [inline]<br /> slab_alloc mm/slub.c:3230 [inline]<br /> kmem_cache_alloc+0x751/0xff0 mm/slub.c:3235<br /> mpol_new mm/mempolicy.c:293 [inline]<br /> do_mbind+0x912/0x15f0 mm/mempolicy.c:1289<br /> kernel_mbind mm/mempolicy.c:1483 [inline]<br /> __do_sys_mbind mm/mempolicy.c:1490 [inline]<br /> __se_sys_mbind+0x437/0xb80 mm/mempolicy.c:1486<br /> __x64_sys_mbind+0x19d/0x200 mm/mempolicy.c:1486<br /> do_syscall_x64 arch/x86/entry/common.c:51 [inline]<br /> do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> =====================================================<br /> Kernel panic - not syncing: panic_on_kmsan set ...<br /> CPU: 0 PID: 15049 Comm: syz-executor.0 Tainted: G B 5.15.0-rc2-syzkaller #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011<br /> Call Trace:<br /> __dump_stack lib/dump_stack.c:88 [inline]<br /> dump_stack_lvl+0x1ff/0x28e lib/dump_stack.c:106<br /> dump_stack+0x25/0x28 lib/dump_stack.c:113<br /> panic+0x44f/0xdeb kernel/panic.c:232<br /> kmsan_report+0x2ee/0x300 mm/kmsan/report.c:186<br /> __msan_warning+0xd7/0x150 mm/kmsan/instrumentation.c:208<br /> __mpol_equal+0x567/0x590 mm/mempolicy.c:2260<br /> mpol_equal include/linux/mempolicy.h:105 [inline]<br /> vma_merge+0x4a1/0x1e60 mm/mmap.c:1190<br /> mbind_range+0xcc8/0x1e80 mm/mempolicy.c:811<br /> do_mbind+0xf42/0x15f0 mm/mempolicy.c:1333<br /> kernel_mbind mm/mempolicy.c:1483 [inline]<br /> __do_sys_mbind mm/mempolicy.c:1490 [inline]<br /> __se_sys_mbind+0x437/0xb80 mm/mempolicy.c:1486<br /> __x64_sys_mbind+0x19d/0x200 mm/mempolicy.c:1486<br /> do_syscall_x64 arch/x86/entry/common.c:51 [inline]<br /> do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae
Severity CVSS v4.0: Pending analysis
Last modification:
03/02/2025
Subscribe to Vulnerabilities