Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-11830
Publication date:
08/01/2025
The PDF Flipbook, 3D Flipbook—DearFlip plugin for WordPress is vulnerable to Stored Cross-Site Scripting via outline settings in all versions up to 2.3.52 due to insufficient input sanitization and output escaping on user-supplied data. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2024-12337
Publication date:
08/01/2025
The Shipping via Planzer for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘processed-ids’ parameter in all versions up to, and including, 1.0.25 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2024-12854
Publication date:
08/01/2025
The Garden Gnome Package plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the functionality that automatically extracts 'ggpkg' files that have been uploaded in all versions up to, and including, 2.3.0. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2024-12853
Publication date:
08/01/2025
The Modula Image Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the zip upload functionality in all versions up to, and including, 2.11.10. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Severity CVSS v4.0: Pending analysis
Last modification:
15/12/2025

CVE-2024-12712
Publication date:
08/01/2025
The Shopping Cart & eCommerce Store plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the webhook function in all versions up to, and including, 5.7.8. This makes it possible for unauthenticated attackers to modify order statuses.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2024-45033
Publication date:
08/01/2025
Insufficient Session Expiration vulnerability in Apache Airflow Fab Provider.<br /> <br /> This issue affects Apache Airflow Fab Provider: before 1.5.2.<br /> <br /> When user password has been changed with admin CLI, the sessions for that user have not been cleared, leading to insufficient session expiration, thus logged users could continue to be logged in even after the password was changed. This only happened when the password was changed with CLI. The problem does not happen in case change was done with webserver thus this is different from  CVE-2023-40273 https://github.com/advisories/GHSA-pm87-24wq-r8w9  which was addressed in Apache-Airflow 2.7.0<br /> <br /> <br /> Users are recommended to upgrade to version 1.5.2, which fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
03/06/2025

CVE-2024-54676
Publication date:
08/01/2025
Vendor: The Apache Software Foundation<br /> <br /> Versions Affected: Apache OpenMeetings from 2.1.0 before 8.0.0<br /> <br /> Description: Default clustering instructions at https://openmeetings.apache.org/Clustering.html  doesn&amp;#39;t specify white/black lists for OpenJPA this leads to possible deserialisation of untrusted data.<br /> Users are recommended to upgrade to version 8.0.0 and update their startup scripts to include the relevant &amp;#39;openjpa.serialization.class.blacklist&amp;#39; and &amp;#39;openjpa.serialization.class.whitelist&amp;#39; configurations as shown in the documentation.
Severity CVSS v4.0: Pending analysis
Last modification:
15/01/2025

CVE-2024-9939
Publication date:
08/01/2025
The WordPress File Upload plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 4.24.13 via wfu_file_downloader.php. This makes it possible for unauthenticated attackers to read files outside of the originally intended directory.
Severity CVSS v4.0: Pending analysis
Last modification:
08/04/2026

CVE-2024-13185
Publication date:
08/01/2025
The MinigameCenter module has insufficient restrictions on loading URLs, which may lead to some information leakage.
Severity CVSS v4.0: MEDIUM
Last modification:
15/04/2026

CVE-2024-13186
Publication date:
08/01/2025
The MinigameCenter module has insufficient restrictions on loading URLs, which may lead to some information leakage.
Severity CVSS v4.0: MEDIUM
Last modification:
15/04/2026

CVE-2024-11350
Publication date:
08/01/2025
The AdForest theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.1.6. This is due to the plugin not properly validating a user&amp;#39;s identity prior to updating their password through the adforest_reset_password() function. This makes it possible for unauthenticated attackers to change arbitrary user&amp;#39;s passwords, including administrators, and leverage that to gain access to their account.
Severity CVSS v4.0: Pending analysis
Last modification:
12/08/2025

CVE-2024-12855
Publication date:
08/01/2025
The AdForest theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several AJAX actions like &amp;#39;sb_remove_ad&amp;#39; in all versions up to, and including, 5.1.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete posts, attachments and deactivate a license.
Severity CVSS v4.0: Pending analysis
Last modification:
12/08/2025
Subscribe to Vulnerabilities