Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-50811

Publication date:
19/03/2024
An issue discovered in SELESTA Visual Access Manager 4.38.6 allows attackers to modify the “computer” POST parameter related to the ID of a specific reception by POST HTTP request interception. Iterating that parameter, it has been possible to access to the application and take control of many other receptions in addition the assigned one.
Severity CVSS v4.0: Pending analysis
Last modification:
27/03/2025

CVE-2024-28389

Publication date:
19/03/2024
SQL injection vulnerability in KnowBand spinwheel v.3.0.3 and before allows a remote attacker to gain escalated privileges and obtain sensitive information via the SpinWheelFrameSpinWheelModuleFrontController::sendEmail() method.
Severity CVSS v4.0: Pending analysis
Last modification:
02/08/2024

CVE-2024-2641

Publication date:
19/03/2024
A vulnerability was found in Ruijie RG-NBS2009G-P up to 20240305. It has been classified as critical. Affected is an unknown function of the file /system/passwdManage.htm of the component Password Handler. The manipulation leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257280. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: Pending analysis
Last modification:
17/05/2024

CVE-2024-28092

Publication date:
19/03/2024
UBEE DDW365 XCNDDW365 8.14.3105 software on hardware 3.13.1 allows a remote attacker within Wi-Fi proximity to conduct stored XSS attacks via RgFirewallEL.asp, RgDdns.asp, RgTime.asp, RgDiagnostics.asp, or RgParentalBasic.asp. The affected fields are SMTP Server Name, SMTP Username, Host Name, Time Server 1, Time Server 2, Time Server 3, Target, Add Keyword, Add Domain, and Add Allowed Domain.
Severity CVSS v4.0: Pending analysis
Last modification:
31/10/2024

CVE-2024-28283

Publication date:
19/03/2024
There is stack-based buffer overflow vulnerability in pc_change_act function in Linksys E1000 router firmware version v.2.1.03 and before, leading to remote code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
10/06/2025

CVE-2024-28715

Publication date:
19/03/2024
Cross Site Scripting vulnerability in DOraCMS v.2.18 and before allows a remote attacker to execute arbitrary code via the markdown0 function in the /app/public/apidoc/oas3/wrap-components/markdown.jsx endpoint.
Severity CVSS v4.0: Pending analysis
Last modification:
24/06/2025

CVE-2024-24336

Publication date:
19/03/2024
A multiple Cross-site scripting (XSS) vulnerability in the '/members/moremember.pl', and ‘/members/members-home.pl’ endpoints within Koha Library Management System version 23.05.05 and earlier allows malicious staff users to carry out CSRF attacks, including unauthorized changes to usernames and passwords of users visiting the affected page, via the 'Circulation note' and ‘Patrons Restriction’ components.
Severity CVSS v4.0: Pending analysis
Last modification:
21/11/2024

CVE-2024-28394

Publication date:
19/03/2024
An issue in Advanced Plugins reportsstatistics v1.3.20 and before allows a remote attacker to execute arbitrary code via the Sales Reports, Statistics, Custom Fields & Export module.
Severity CVSS v4.0: Pending analysis
Last modification:
28/10/2024

CVE-2024-28595

Publication date:
19/03/2024
SQL Injection vulnerability in Employee Management System v1.0 allows attackers to run arbitrary SQL commands via the admin_id parameter in update-admin.php.
Severity CVSS v4.0: Pending analysis
Last modification:
13/05/2025

CVE-2024-2169

Publication date:
19/03/2024
Implementations of UDP application protocol are vulnerable to network loops. An unauthenticated attacker can use maliciously-crafted packets against a vulnerable implementation that can lead to Denial of Service (DOS) and/or abuse of resources.
Severity CVSS v4.0: Pending analysis
Last modification:
21/11/2024

CVE-2024-29027

Publication date:
19/03/2024
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 6.5.5 and 7.0.0-alpha.29, calling an invalid Parse Server Cloud Function name or Cloud Job name crashes the server and may allow for code injection, internal store manipulation or remote code execution. The patch in versions 6.5.5 and 7.0.0-alpha.29 added string sanitation for Cloud Function name and Cloud Job name. As a workaround, sanitize the Cloud Function name and Cloud Job name before it reaches Parse Server.
Severity CVSS v4.0: Pending analysis
Last modification:
20/03/2024

CVE-2024-28303

Publication date:
19/03/2024
Open Source Medicine Ordering System v1.0 was discovered to contain a SQL injection vulnerability via the date parameter at /admin/reports/index.php.
Severity CVSS v4.0: Pending analysis
Last modification:
31/10/2024