Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-2544

Publication date:
15/06/2024
The Popup Builder plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on all AJAX actions. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform multiple unauthorized actions, such as deleting subscribers, and importing subscribers to conduct stored cross-site scripting attacks.
Severity CVSS v4.0: Pending analysis
Last modification:
08/08/2024

CVE-2024-3813

Publication date:
15/06/2024
The tagDiv Composer plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.8 via the 'td_block_title' shortcode 'block_template_id' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.
Severity CVSS v4.0: Pending analysis
Last modification:
07/08/2024

CVE-2024-30119

Publication date:
14/06/2024
HCL DRYiCE Optibot Reset Station is impacted by a missing Strict Transport Security Header.  This could allow an attacker to intercept or manipulate data during redirection.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2024

CVE-2024-30120

Publication date:
14/06/2024
HCL DRYiCE Optibot Reset Station is impacted by an Unused Parameter in the web application.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2024

CVE-2024-6003

Publication date:
14/06/2024
A vulnerability was found in Guangdong Baolun Electronics IP Network Broadcasting Service Platform 2.0. It has been classified as critical. Affected is an unknown function of the file /api/v2/maps. The manipulation of the argument orderColumn leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-268692. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2024

CVE-2024-21988

Publication date:
14/06/2024
StorageGRID (formerly StorageGRID Webscale) versions prior to <br /> 11.7.0.9 and 11.8.0.5 are susceptible to disclosure of sensitive <br /> information via complex MiTM attacks due to a vulnerability in the SSH <br /> cryptographic implementation.
Severity CVSS v4.0: Pending analysis
Last modification:
13/12/2024

CVE-2024-2875

Publication date:
14/06/2024
Rejected reason: ** REJECT ** Duplicate reservation. Please use CVE-2024-4258 instead.
Severity CVSS v4.0: Pending analysis
Last modification:
14/06/2024

CVE-2024-37831

Publication date:
14/06/2024
Itsourcecode Payroll Management System 1.0 is vulnerable to SQL Injection in payroll_items.php via the ID parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
01/08/2024

CVE-2024-37889

Publication date:
14/06/2024
MyFinances is a web application for managing finances. MyFinances has a way to access other customer invoices while signed in as a user. This method allows an actor to access PII and financial information from another account. The vulnerability is fixed in 0.4.6.
Severity CVSS v4.0: Pending analysis
Last modification:
08/08/2024

CVE-2024-36600

Publication date:
14/06/2024
Buffer Overflow Vulnerability in libcdio v2.1.0 allows an attacker to execute arbitrary code via a crafted ISO 9660 image file.
Severity CVSS v4.0: Pending analysis
Last modification:
20/06/2025

CVE-2024-24320

Publication date:
14/06/2024
Directory Traversal vulnerability in Mgt-commerce CloudPanel v.2.0.0 thru v.2.4.0 allows a remote attacker to obtain sensitive information and execute arbitrary code via the service parameter of the load-logfiles function.
Severity CVSS v4.0: Pending analysis
Last modification:
21/08/2024

CVE-2024-36598

Publication date:
14/06/2024
An arbitrary file upload vulnerability in Aegon Life v1.0 allows attackers to execute arbitrary code via uploading a crafted image file.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2024