Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-24513
Publication date:
06/09/2021
The Form Builder | Create Responsive Contact Forms WordPress plugin before 1.9.8.4 does not sanitise or escape its Form Title, allowing high privilege users such as admin to set Cross-Site Scripting payload in them, even when the unfiltered_html capability is disallowed
Severity CVSS v4.0: Pending analysis
Last modification:
09/09/2021

CVE-2021-24435
Publication date:
06/09/2021
The iframe-font-preview.php file of the titan-framework does not properly escape the font-weight and font-family GET parameters before outputting them back in an href attribute, leading to Reflected Cross-Site Scripting issues
Severity CVSS v4.0: Pending analysis
Last modification:
09/09/2021

CVE-2021-24390
Publication date:
06/09/2021
A proid GET parameter of the WordPress支付宝Alipay|财付通Tenpay|贝宝PayPal集成插件 WordPress plugin through 3.7.2 is not sanitised, properly escaped or validated before inserting to a SQL statement not delimited by quotes, leading to SQL injection.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-24393
Publication date:
06/09/2021
A c GET parameter of the Comment Highlighter WordPress plugin through 0.13 is not properly sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection.
Severity CVSS v4.0: Pending analysis
Last modification:
09/09/2021

CVE-2021-24392
Publication date:
06/09/2021
An id GET parameter of the WordPress Membership SwiftCloud.io WordPress plugin through 1.0 is not properly sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection.
Severity CVSS v4.0: Pending analysis
Last modification:
09/09/2021

CVE-2021-24391
Publication date:
06/09/2021
An editid GET parameter of the Cashtomer WordPress plugin through 1.0.0 is not properly sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection.
Severity CVSS v4.0: Pending analysis
Last modification:
09/09/2021

CVE-2021-24303
Publication date:
06/09/2021
The JiangQie Official Website Mini Program WordPress plugin before 1.1.1 does not escape or validate the id GET parameter before using it in SQL statements, leading to SQL injection issues
Severity CVSS v4.0: Pending analysis
Last modification:
09/09/2021

CVE-2021-40523
Publication date:
05/09/2021
In Contiki 3.0, Telnet option negotiation is mishandled. During negotiation between a server and a client, the server may fail to give the WILL/WONT or DO/DONT response for DO and WILL commands because of improper handling of exception condition, which leads to property violations and denial of service. Specifically, a server sometimes sends no response, because a fixed buffer space is available for all responses and that space may have been exhausted.
Severity CVSS v4.0: Pending analysis
Last modification:
10/09/2021

CVE-2021-40524
Publication date:
05/09/2021
In Pure-FTPd before 1.0.50, an incorrect max_filesize quota mechanism in the server allows attackers to upload files of unbounded size, which may lead to denial of service or a server hang. This occurs because a certain greater-than-zero test does not anticipate an initial -1 value. (Versions 1.0.23 through 1.0.49 are affected.)
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2025

CVE-2021-40516
Publication date:
05/09/2021
WeeChat before 3.2.1 allows remote attackers to cause a denial of service (crash) via a crafted WebSocket frame that trigger an out-of-bounds read in plugins/relay/relay-websocket.c in the Relay plugin.
Severity CVSS v4.0: Pending analysis
Last modification:
07/10/2021

CVE-2021-23439
Publication date:
05/09/2021
This affects the package file-upload-with-preview before 4.2.0. A file containing malicious JavaScript code in the name can be uploaded (a user needs to be tricked into uploading such a file).
Severity CVSS v4.0: Pending analysis
Last modification:
10/09/2021

CVE-2021-40509
Publication date:
04/09/2021
ViewCommon.java in JForum2 2.7.0 allows XSS via a user signature.
Severity CVSS v4.0: Pending analysis
Last modification:
09/09/2021
Subscribe to Vulnerabilities