Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-28715

Publication date:

19/03/2024

Cross Site Scripting vulnerability in DOraCMS v.2.18 and before allows a remote attacker to execute arbitrary code via the markdown0 function in the /app/public/apidoc/oas3/wrap-components/markdown.jsx endpoint.

Severity CVSS v4.0: Pending analysis

Last modification:

24/06/2025

CVE-2024-24336

Publication date:

19/03/2024

A multiple Cross-site scripting (XSS) vulnerability in the &#39;/members/moremember.pl&#39;, and ‘/members/members-home.pl’ endpoints within Koha Library Management System version 23.05.05 and earlier allows malicious staff users to carry out CSRF attacks, including unauthorized changes to usernames and passwords of users visiting the affected page, via the &#39;Circulation note&#39; and ‘Patrons Restriction’ components.

Severity CVSS v4.0: Pending analysis

Last modification:

21/11/2024

CVE-2024-28394

Publication date:

19/03/2024

An issue in Advanced Plugins reportsstatistics v1.3.20 and before allows a remote attacker to execute arbitrary code via the Sales Reports, Statistics, Custom Fields & Export module.

Severity CVSS v4.0: Pending analysis

Last modification:

28/10/2024

CVE-2024-28595

Publication date:

19/03/2024

SQL Injection vulnerability in Employee Management System v1.0 allows attackers to run arbitrary SQL commands via the admin_id parameter in update-admin.php.

Severity CVSS v4.0: Pending analysis

Last modification:

13/05/2025

CVE-2024-2169

Publication date:

19/03/2024

Implementations of UDP application protocol are vulnerable to network loops. An unauthenticated attacker can use maliciously-crafted packets against a vulnerable implementation that can lead to Denial of Service (DOS) and/or abuse of resources.

Severity CVSS v4.0: Pending analysis

Last modification:

21/11/2024

CVE-2024-29027

Publication date:

19/03/2024

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 6.5.5 and 7.0.0-alpha.29, calling an invalid Parse Server Cloud Function name or Cloud Job name crashes the server and may allow for code injection, internal store manipulation or remote code execution. The patch in versions 6.5.5 and 7.0.0-alpha.29 added string sanitation for Cloud Function name and Cloud Job name. As a workaround, sanitize the Cloud Function name and Cloud Job name before it reaches Parse Server.

Severity CVSS v4.0: Pending analysis

Last modification:

20/03/2024

CVE-2024-28303

Publication date:

19/03/2024

Open Source Medicine Ordering System v1.0 was discovered to contain a SQL injection vulnerability via the date parameter at /admin/reports/index.php.

Severity CVSS v4.0: Pending analysis

Last modification:

31/10/2024

CVE-2024-29094

Publication date:

19/03/2024

Improper Neutralization of Input During Web Page Generation (&#39;Cross-site Scripting&#39;) vulnerability in HasThemes HT Easy GA4 ( Google Analytics 4 ) allows Stored XSS.This issue affects HT Easy GA4 ( Google Analytics 4 ): from n/a through 1.1.7.

Severity CVSS v4.0: Pending analysis

Last modification:

20/03/2024

CVE-2024-2307

Publication date:

19/03/2024

A flaw was found in osbuild-composer. A condition can be triggered that disables GPG verification for package repositories, which can expose the build phase to a Man-in-the-Middle attack, allowing untrusted code to be installed into an image being built.

Severity CVSS v4.0: Pending analysis

Last modification:

22/05/2024

CVE-2024-2442

Publication date:

19/03/2024

Franklin Fueling System EVO 550 and EVO 5000 are vulnerable to a Path Traversal vulnerability that could allow an attacker to access sensitive files on the system.

Severity CVSS v4.0: Pending analysis

Last modification:

20/03/2024

CVE-2024-2545

Publication date:

19/03/2024

Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2024-1730. Reason: This candidate is a duplicate of CVE-2024-1730. Notes: All CVE users should reference CVE-2024-1730 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.

Severity CVSS v4.0: Pending analysis

Last modification:

19/03/2024

CVE-2024-29091

Publication date:

19/03/2024

Improper Neutralization of Input During Web Page Generation (&#39;Cross-site Scripting&#39;) vulnerability in Dnesscarkey WP Armour – Honeypot Anti Spam allows Reflected XSS.This issue affects WP Armour – Honeypot Anti Spam: from n/a through 2.1.13.

Severity CVSS v4.0: Pending analysis

Last modification:

20/03/2024

Subscribe to Vulnerabilities