Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-6022
Publication date:
12/07/2024
The ContentLock WordPress plugin through 1.0.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
Severity CVSS v4.0: Pending analysis
Last modification:
02/08/2024

CVE-2024-2430
Publication date:
12/07/2024
The Website Content in Page or Post WordPress plugin before 2024.04.09 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
Severity CVSS v4.0: Pending analysis
Last modification:
01/08/2024

CVE-2024-2640
Publication date:
12/07/2024
The Watu Quiz WordPress plugin before 3.4.1.2 does not sanitise and escape some of its settings, which could allow users such as authors (if they've been authorized by admins) to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
Severity CVSS v4.0: Pending analysis
Last modification:
01/08/2024

CVE-2024-2696
Publication date:
12/07/2024
The socialdriver-framework WordPress plugin before 2024.04.30 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Severity CVSS v4.0: Pending analysis
Last modification:
04/06/2025

CVE-2024-3112
Publication date:
12/07/2024
The Quotes and Tips by BestWebSoft WordPress plugin before 1.45 does not properly validate image files uploaded, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in multisite setup)
Severity CVSS v4.0: Pending analysis
Last modification:
01/08/2024

CVE-2024-0974
Publication date:
12/07/2024
The Social Media Widget WordPress plugin before 4.0.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Severity CVSS v4.0: Pending analysis
Last modification:
10/06/2025

CVE-2024-1375
Publication date:
12/07/2024
The Event post plugin for WordPress is vulnerable to unauthorized bulk metadata update due to a missing nonce check on the save_bulkdatas function in all versions up to, and including, 5.9.5. This makes it possible for unauthenticated attackers to update post_meta_data via a forged request, granted they can trick a logged-in user into performing an action such as clicking on a link.
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2024

CVE-2024-6677
Publication date:
12/07/2024
Privilege escalation in uberAgent
Severity CVSS v4.0: HIGH
Last modification:
25/07/2025

CVE-2024-6396
Publication date:
12/07/2024
A vulnerability in the `_backup_run` function in aimhubio/aim version 3.19.3 allows remote attackers to overwrite any file on the host server and exfiltrate arbitrary data. The vulnerability arises due to improper handling of the `run_hash` and `repo.path` parameters, which can be manipulated to create and write to arbitrary file paths. This can lead to denial of service by overwriting critical system files, loss of private data, and potential remote code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
23/07/2025

CVE-2024-6392
Publication date:
11/07/2024
The Image Optimizer, Resizer and CDN – Sirv plugin for WordPress is vulnerable to unauthorized plugin settings modification due to missing capability checks on the plugin functions in all versions up to, and including, 7.2.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change the connected Sirv account to an attacker-controlled one.
Severity CVSS v4.0: Pending analysis
Last modification:
15/08/2024

CVE-2024-36435
Publication date:
11/07/2024
An issue was discovered on Supermicro BMC firmware in select X11, X12, H12, B12, X13, H13, and B13 motherboards (and CMM6 modules). An unauthenticated user can post crafted data to the interface that triggers a stack buffer overflow, and may lead to arbitrary remote code execution on a BMC.
Severity CVSS v4.0: Pending analysis
Last modification:
01/08/2024

CVE-2024-6468
Publication date:
11/07/2024
Vault and Vault Enterprise did not properly handle requests originating from unauthorized IP addresses when the TCP listener option, proxy_protocol_behavior, was set to deny_unauthorized. When receiving a request from a source IP address that was not listed in proxy_protocol_authorized_addrs, the Vault API server would shut down and no longer respond to any HTTP requests, potentially resulting in denial of service.<br /> <br /> While this bug also affected versions of Vault up to 1.17.1 and 1.16.5, a separate regression in those release series did not allow Vault operators to configure the deny_unauthorized option, thus not allowing the conditions for the denial of service to occur.<br /> <br /> Fixed in Vault and Vault Enterprise 1.17.2, 1.16.6, and 1.15.12.
Severity CVSS v4.0: Pending analysis
Last modification:
13/08/2025
Subscribe to Vulnerabilities