Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-27442
Publication date:
12/08/2024
An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. The zmmailboxdmgr binary, a component of ZCS, is intended to be executed by the zimbra user with root privileges for specific mailbox operations. However, an attacker can escalate privileges from the zimbra user to root, because of improper handling of input arguments. An attacker can execute arbitrary commands with elevated privileges, leading to local privilege escalation.
Severity CVSS v4.0: Pending analysis
Last modification:
13/08/2024

CVE-2024-27443
Publication date:
12/08/2024
An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. A Cross-Site Scripting (XSS) vulnerability exists in the CalendarInvite feature of the Zimbra webmail classic user interface, because of improper input validation in the handling of the calendar header. An attacker can exploit this via an email message containing a crafted calendar header with an embedded XSS payload. When a victim views this message in the Zimbra webmail classic interface, the payload is executed in the context of the victim's session, potentially leading to execution of arbitrary JavaScript code.
Severity CVSS v4.0: Pending analysis
Last modification:
31/10/2025

CVE-2024-33533
Publication date:
12/08/2024
An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0, issue 1 of 2. A reflected cross-site scripting (XSS) vulnerability has been identified in the Zimbra webmail admin interface. This vulnerability occurs due to inadequate input validation of the packages parameter, allowing an authenticated attacker to inject and execute arbitrary JavaScript code within the context of another user's browser session. By uploading a malicious JavaScript file and crafting a URL containing its location in the packages parameter, the attacker can exploit this vulnerability. Subsequently, when another user visits the crafted URL, the malicious JavaScript code is executed.
Severity CVSS v4.0: Pending analysis
Last modification:
13/03/2025

CVE-2024-33535
Publication date:
12/08/2024
An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. The vulnerability involves unauthenticated local file inclusion (LFI) in a web application, specifically impacting the handling of the packages parameter. Attackers can exploit this flaw to include arbitrary local files without authentication, potentially leading to unauthorized access to sensitive information. The vulnerability is limited to files within a specific directory.
Severity CVSS v4.0: Pending analysis
Last modification:
19/03/2025

CVE-2024-33536
Publication date:
12/08/2024
An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. The vulnerability occurs due to inadequate input validation of the res parameter, allowing an authenticated attacker to inject and execute arbitrary JavaScript code within the context of another user's browser session. By uploading a malicious JavaScript file, accessible externally, and crafting a URL containing its location in the res parameter, the attacker can exploit this vulnerability. Subsequently, when another user visits the crafted URL, the malicious JavaScript code is executed.
Severity CVSS v4.0: Pending analysis
Last modification:
25/03/2025

CVE-2024-38530
Publication date:
12/08/2024
The Open eClass platform (formerly known as GUnet eClass) is a complete Course Management System. An arbitrary file upload vulnerability in the "save" functionality of the H5P module enables unauthenticated users to upload arbitrary files on the server's filesystem. This may lead in unrestricted RCE on the backend server, since the upload location is accessible from the internet. This vulnerability is fixed in 3.16.
Severity CVSS v4.0: Pending analysis
Last modification:
13/08/2024

CVE-2024-42258
Publication date:
12/08/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm: huge_memory: use !CONFIG_64BIT to relax huge page alignment on 32 bit machines<br /> <br /> Yves-Alexis Perez reported commit 4ef9ad19e176 ("mm: huge_memory: don&amp;#39;t<br /> force huge page alignment on 32 bit") didn&amp;#39;t work for x86_32 [1]. It is<br /> because x86_32 uses CONFIG_X86_32 instead of CONFIG_32BIT.<br /> <br /> !CONFIG_64BIT should cover all 32 bit machines.<br /> <br /> [1] https://lore.kernel.org/linux-mm/CAHbLzkr1LwH3pcTgM+aGQ31ip2bKqiqEQ8=FQB+t2c3dhNKNHA@mail.gmail.com/
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2024-21550
Publication date:
12/08/2024
SteVe is an open platform that implements different version of the OCPP protocol for Electric Vehicle charge points, acting as a central server for management of registered charge points. Attackers can inject arbitrary HTML and Javascript code via WebSockets leading to persistent Cross-Site Scripting in the SteVe management interface.
Severity CVSS v4.0: Pending analysis
Last modification:
13/08/2024

CVE-2024-6639
Publication date:
12/08/2024
The MDx theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin&amp;#39;s &amp;#39;mdx_list_item&amp;#39; shortcode in all versions up to, and including, 2.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2024-7693
Publication date:
12/08/2024
Raiden MAILD Remote Management System from Team Johnlong Software has a Relative Path Traversal vulnerability, allowing unauthenticated remote attackers to read arbitrary file on the remote server.
Severity CVSS v4.0: Pending analysis
Last modification:
06/09/2024

CVE-2024-7694
Publication date:
12/08/2024
ThreatSonar Anti-Ransomware from TeamT5 does not properly validate the content of uploaded files. Remote attackers with administrator privileges on the product platform can upload malicious files, which can be used to execute arbitrary system command on the server.
Severity CVSS v4.0: Pending analysis
Last modification:
18/02/2026

CVE-2024-7697
Publication date:
12/08/2024
Logical vulnerability in the mobile application (com.transsion.carlcare) may lead to user information leakage risks.
Severity CVSS v4.0: Pending analysis
Last modification:
13/11/2025
Subscribe to Vulnerabilities