Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-48681

Publication date:
28/05/2024
Some Huawei smart speakers have a memory overflow vulnerability. Successful exploitation of this vulnerability may cause certain functions to fail.
Severity CVSS v4.0: Pending analysis
Last modification:
14/01/2025

CVE-2024-32944

Publication date:
28/05/2024
Path traversal vulnerability exists in UTAU versions prior to v0.4.19. If a user of the product installs a crafted UTAU voicebank installer (.uar file, .zip file) to UTAU, an arbitrary file may be placed.
Severity CVSS v4.0: Pending analysis
Last modification:
29/10/2024

CVE-2024-28886

Publication date:
28/05/2024
OS command injection vulnerability exists in UTAU versions prior to v0.4.19. If a user of the product opens a crafted UTAU project file (.ust file), an arbitrary OS command may be executed.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2024

CVE-2024-28880

Publication date:
28/05/2024
Path traversal vulnerability in MosP kintai kanri V4.6.6 and earlier allows a remote attacker who can log in to the product to obtain sensitive information of the product.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2024

CVE-2024-29078

Publication date:
28/05/2024
Incorrect permission assignment for critical resource issue exists in MosP kintai kanri V4.6.6 and earlier, which may allow a remote unauthenticated attacker with access to the product to alter the product settings.
Severity CVSS v4.0: Pending analysis
Last modification:
28/03/2025

CVE-2024-36428

Publication date:
27/05/2024
OrangeHRM 3.3.3 allows admin/viewProjects sortOrder SQL injection.
Severity CVSS v4.0: Pending analysis
Last modification:
23/06/2025

CVE-2024-36426

Publication date:
27/05/2024
In TARGIT Decision Suite 23.2.15007.0 before Autumn 2023, the session token is part of the URL and may be sent in a cleartext HTTP session.
Severity CVSS v4.0: Pending analysis
Last modification:
18/03/2025

CVE-2024-34923

Publication date:
27/05/2024
In Avocent DSR2030 Appliance firmware 03.04.00.07 before 03.07.01.23, and SVIP1020 Appliance firmware 01.06.00.03 before 01.07.00.00, there is reflected cross-site scripting (XSS).
Severity CVSS v4.0: Pending analysis
Last modification:
02/12/2024

CVE-2024-29415

Publication date:
27/05/2024
The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.
Severity CVSS v4.0: Pending analysis
Last modification:
17/01/2025

CVE-2024-35181

Publication date:
27/05/2024
Meshery is an open source, cloud native manager that enables the design and management of Kubernetes-based infrastructure and applications. A SQL injection vulnerability in Meshery prior to version 0.7.22 may lead to arbitrary file write by using a SQL injection stacked queries payload, and the ATTACH DATABASE command. Additionally, attackers may be able to access and modify any data stored in the database, like performance profiles (which may contain session cookies), Meshery application data, or any Kubernetes configuration added to the system. The Meshery project exposes the function `GetMeshSyncResourcesKinds` at the API URL `/api/system/meshsync/resources/kinds`. The order query parameter is directly used to build a SQL query in `meshync_handler.go`. Version 0.7.22 fixes this issue.
Severity CVSS v4.0: Pending analysis
Last modification:
28/05/2024

CVE-2024-35182

Publication date:
27/05/2024
Meshery is an open source, cloud native manager that enables the design and management of Kubernetes-based infrastructure and applications. A SQL injection vulnerability in Meshery prior to version 0.7.22 may lead to arbitrary file write by using a SQL injection stacked queries payload, and the ATTACH DATABASE command. Additionally, attackers may be able to access and modify any data stored in the database, like performance profiles (which may contain session cookies), Meshery application data, or any Kubernetes configuration added to the system. The Meshery project exposes the function `GetAllEvents` at the API URL `/api/v2/events`. The sort query parameter read in `events_streamer.go` is directly used to build a SQL query in `events_persister.go`. Version 0.7.22 fixes this issue by using the `SanitizeOrderInput` function.
Severity CVSS v4.0: Pending analysis
Last modification:
28/05/2024

CVE-2024-36105

Publication date:
27/05/2024
dbt enables data analysts and engineers to transform their data using the same practices that software engineers use to build applications. Prior to versions 1.6.15, 1.7.15, and 1.8.1, Binding to `INADDR_ANY (0.0.0.0)` or `IN6ADDR_ANY (::)` exposes an application on all network interfaces, increasing the risk of unauthorized access. As stated in the Python docs, a special form for address is accepted instead of a host address: `&amp;#39;&amp;#39;` represents `INADDR_ANY`, equivalent to `"0.0.0.0"`. On systems with IPv6, &amp;#39;&amp;#39; represents `IN6ADDR_ANY`, which is equivalent to `"::"`. A user who serves docs on an unsecured public network, may unknowingly be hosting an unsecured (http) web site for any remote user/system to access on the same network. The issue has has been mitigated in dbt-core v1.6.15, dbt-core v1.7.15, and dbt-core v1.8.1 by binding to localhost explicitly by default in `dbt docs serve`.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
28/05/2024