Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-27931
Publication date:
05/03/2024
Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Insufficient validation of parameters in `Deno.makeTemp*` APIs would allow for creation of files outside of the allowed directories. This may allow the user to overwrite important files on the system that may affect other systems. A user may provide a prefix or suffix to a `Deno.makeTemp*` API containing path traversal characters. This is fixed in Deno 1.41.1.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
03/01/2025

CVE-2024-27561
Publication date:
05/03/2024
A Server-Side Request Forgery (SSRF) in the installUpdateThemePluginAction function of WonderCMS v3.1.3 allows attackers to force the application to make arbitrary requests via injection of crafted URLs into the installThemePlugin parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
21/01/2025

CVE-2024-27563
Publication date:
05/03/2024
A Server-Side Request Forgery (SSRF) in the getFileFromRepo function of WonderCMS v3.1.3 allows attackers to force the application to make arbitrary requests via injection of crafted URLs into the pluginThemeUrl parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
21/01/2025

CVE-2024-27564
Publication date:
05/03/2024
pictureproxy.php in the dirk1983 mm1.ltd source code f9f4bbc allows SSRF via the url parameter. NOTE: the references section has an archived copy of pictureproxy.php from its original GitHub location, but the repository name might later change because it is misleading.
Severity CVSS v4.0: Pending analysis
Last modification:
20/03/2025

CVE-2024-24098
Publication date:
05/03/2024
Code-projects Scholars Tracking System 1.0 is vulnerable to SQL Injection via the News Feed.
Severity CVSS v4.0: Pending analysis
Last modification:
21/01/2025

CVE-2022-46088
Publication date:
05/03/2024
Online Flight Booking Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the feedback form.
Severity CVSS v4.0: Pending analysis
Last modification:
08/01/2025

CVE-2024-27627
Publication date:
05/03/2024
A reflected cross-site scripting (XSS) vulnerability exists in SuperCali version 1.1.0, allowing remote attackers to execute arbitrary JavaScript code via the email parameter in the bad_password.php page.
Severity CVSS v4.0: Pending analysis
Last modification:
05/08/2024

CVE-2024-27622
Publication date:
05/03/2024
A remote code execution vulnerability has been identified in the User Defined Tags module of CMS Made Simple version 2.2.19 / 2.2.21. This vulnerability arises from inadequate sanitization of user-supplied input in the &amp;#39;Code&amp;#39; section of the module. As a result, authenticated users with administrative privileges can inject and execute arbitrary PHP code.
Severity CVSS v4.0: Pending analysis
Last modification:
28/03/2025

CVE-2024-27623
Publication date:
05/03/2024
CMS Made Simple version 2.2.19 is vulnerable to Server-Side Template Injection (SSTI). The vulnerability exists within the Design Manager, particularly when editing the Breadcrumbs.
Severity CVSS v4.0: Pending analysis
Last modification:
28/03/2025

CVE-2024-27625
Publication date:
05/03/2024
CMS Made Simple Version 2.2.19 is vulnerable to Cross Site Scripting (XSS). This vulnerability resides in the File Manager module of the admin panel. Specifically, the issue arises due to inadequate sanitization of user input in the "New directory" field.
Severity CVSS v4.0: Pending analysis
Last modification:
28/03/2025

CVE-2024-2188
Publication date:
05/03/2024
Cross-Site Scripting (XSS) vulnerability stored in TP-Link Archer AX50 affecting firmware version 1.0.11 build 2022052. This vulnerability could allow an unauthenticated attacker to create a port mapping rule via a SOAP request and store a malicious JavaScript payload within that rule, which could result in an execution of the JavaScript payload when the rule is loaded.
Severity CVSS v4.0: Pending analysis
Last modification:
04/03/2025

CVE-2023-7103
Publication date:
05/03/2024
Authentication Bypass by Primary Weakness vulnerability in ZKSoftware Biometric Security Solutions UFace 5 allows Authentication Bypass.This issue affects UFace 5: through 12022024.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
04/03/2025
Subscribe to Vulnerabilities