Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-54137

Publication date:

06/12/2024

liboqs is a C-language cryptographic library that provides implementations of post-quantum cryptography algorithms. A correctness error has been identified in the reference implementation of the HQC key encapsulation mechanism. Due to an indexing error, part of the secret key is incorrectly treated as non-secret data. This results in an incorrect shared secret value being returned when the decapsulation function is called with a malformed ciphertext. This vulnerability is fixed in 0.12.0.

Severity CVSS v4.0: Pending analysis

Last modification:

20/08/2025

CVE-2024-50677

Publication date:

06/12/2024

A cross-site scripting (XSS) vulnerability in OroPlatform CMS v5.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Search parameter.

Severity CVSS v4.0: Pending analysis

Last modification:

13/06/2025

CVE-2024-30129

Publication date:

06/12/2024

The HTTP host header can be manipulated and cause the application to behave in unexpected ways. Any changes made to the header would cause the request to be sent to a completely different domain/IP address.

Severity CVSS v4.0: Pending analysis

Last modification:

06/12/2024

CVE-2024-12254

Publication date:

06/12/2024

Starting in Python 3.12.0, the asyncio._SelectorSocketTransport.writelines() method would not "pause" writing and signal to the Protocol to drain the buffer to the wire once the write buffer reached the "high-water mark". Because of this, Protocols would not periodically drain the write buffer potentially leading to memory exhaustion. This vulnerability likely impacts a small number of users, you must be using Python 3.12.0 or later, on macOS or Linux, using the asyncio module with protocols, and using .writelines() method which had new zero-copy-on-write behavior in Python 3.12.0 and later. If not all of these factors are true then your usage of Python is unaffected.

Severity CVSS v4.0: HIGH

Last modification:

04/04/2025

CVE-2024-54141

Publication date:

06/12/2024

phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Prior to 4.0.0, phpMyFAQ exposes the database (ie postgreSQL) server&#39;s credential when connection to DB fails. This vulnerability is fixed in 4.0.0.

Severity CVSS v4.0: Pending analysis

Last modification:

15/08/2025

CVE-2024-42196

Publication date:

06/12/2024

HCL Launch stores potentially sensitive information in log files that could be read by a local user with access to HTTP request logs.

Severity CVSS v4.0: Pending analysis

Last modification:

06/12/2024

CVE-2024-11738

Publication date:

06/12/2024

A flaw was found in Rustls 0.23.13 and related APIs. This vulnerability allows denial of service (panic) via a fragmented TLS ClientHello message.

Severity CVSS v4.0: Pending analysis

Last modification:

29/07/2025

CVE-2024-54212

Publication date:

06/12/2024

Improper Neutralization of Input During Web Page Generation (&#39;Cross-site Scripting&#39;) vulnerability in Noor alam Magical Addons For Elementor allows Stored XSS.This issue affects Magical Addons For Elementor: from n/a through 1.2.6.

Severity CVSS v4.0: Pending analysis

Last modification:

03/02/2025

CVE-2024-54213

Publication date:

06/12/2024

Improper Neutralization of Input During Web Page Generation (&#39;Cross-site Scripting&#39;) vulnerability in zionbuilder.io WordPress Page Builder – Zion Builder allows Stored XSS.This issue affects WordPress Page Builder – Zion Builder: from n/a through 3.6.12.

Severity CVSS v4.0: Pending analysis

Last modification:

06/12/2024

CVE-2024-54214

Publication date:

06/12/2024

Unrestricted Upload of File with Dangerous Type vulnerability in Roninwp Revy allows Upload a Web Shell to a Web Server.This issue affects Revy: from n/a through 1.18.

Severity CVSS v4.0: Pending analysis

Last modification:

20/12/2024

CVE-2024-54216

Publication date:

06/12/2024

Path Traversal: &#39;.../...//&#39; vulnerability in Repute InfoSystems ARForms allows Path Traversal.This issue affects ARForms: from n/a through 6.4.1.

Severity CVSS v4.0: Pending analysis

Last modification:

20/12/2024

CVE-2024-54211

Publication date:

06/12/2024

Improper Neutralization of Input During Web Page Generation (&#39;Cross-site Scripting&#39;) vulnerability in Visualmodo Borderless allows Cross-Site Scripting (XSS).This issue affects Borderless: from n/a through 1.5.8.

Severity CVSS v4.0: Pending analysis

Last modification:

15/04/2025

Subscribe to Vulnerabilities