Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-3055
Publication date:
14/05/2024
The Unlimited Elements For Elementor (Free Widgets, Addons, Templates) plugin for WordPress is vulnerable to time-based SQL Injection via the ‘id’ parameter in all versions up to, and including, 1.5.102 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor access or higher, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity CVSS v4.0: Pending analysis
Last modification:
30/01/2025

CVE-2024-3037
Publication date:
14/05/2024
An arbitrary file deletion vulnerability exists in PaperCut NG/MF, specifically affecting Windows servers with Web Print enabled. To exploit this vulnerability, an attacker must first obtain local login access to the Windows Server hosting PaperCut NG/MF and be capable of executing low-privilege code directly on the server. <br /> <br /> Important: In most installations, this risk is mitigated by the default Windows Server configuration, which typically restricts local login access to Administrators only. However, this vulnerability could pose a risk to customers who allow non-administrative users to log in to the local console of the Windows environment hosting the PaperCut NG/MF application server.<br /> <br /> Note: This CVE has been split into two separate CVEs (CVE-2024-3037 and CVE-2024-8404) and it’s been rescored with a "Privileges Required (PR)" rating of low, and “Attack Complexity (AC)” rating of low, reflecting the worst-case scenario where an Administrator has granted local login access to standard users on the host server.
Severity CVSS v4.0: Pending analysis
Last modification:
27/01/2025

CVE-2024-3016
Publication date:
14/05/2024
NEC Platforms DT900 and DT900S Series 5.0.0.0 – v5.3.4.4, v5.4.0.0 – v5.6.0.20 allows an attacker to access a non-documented the system settings to change settings via local network with unauthenticated user.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
22/08/2024

CVE-2024-35205
Publication date:
14/05/2024
The WPS Office (aka cn.wps.moffice_eng) application before 17.0.0 for Android fails to properly sanitize file names before processing them through external application interactions, leading to a form of path traversal. This potentially enables any application to dispatch a crafted library file, aiming to overwrite an existing native library utilized by WPS Office. Successful exploitation could result in the execution of arbitrary commands under the guise of WPS Office&amp;#39;s application ID.
Severity CVSS v4.0: Pending analysis
Last modification:
20/08/2024

CVE-2024-35172
Publication date:
14/05/2024
Server-Side Request Forgery (SSRF) vulnerability in ShortPixel ShortPixel Adaptive Images.This issue affects ShortPixel Adaptive Images: from n/a through 3.8.3.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
14/05/2024

CVE-2024-35204
Publication date:
14/05/2024
Veritas System Recovery before 23.3_Hotfix has incorrect permissions for the Veritas System Recovery folder, and thus low-privileged users can conduct attacks.
Severity CVSS v4.0: Pending analysis
Last modification:
26/09/2024

CVE-2024-35170
Publication date:
14/05/2024
Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in Hidden Depth Sticky banner allows Stored XSS.This issue affects Sticky banner: from n/a through 1.2.0.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
14/05/2024

CVE-2024-35171
Publication date:
14/05/2024
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Academy LMS academy.This issue affects Academy LMS: from n/a through 1.9.25.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
27/01/2025

CVE-2024-35166
Publication date:
14/05/2024
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Ninja Team Filebird.This issue affects Filebird: from n/a through 5.6.3.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2025

CVE-2024-35167
Publication date:
14/05/2024
Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in EnvoThemes Envo&amp;#39;s Elementor Templates &amp; Widgets for WooCommerce allows Stored XSS.This issue affects Envo&amp;#39;s Elementor Templates &amp; Widgets for WooCommerce: from n/a through 1.4.8.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
25/03/2025

CVE-2024-35169
Publication date:
14/05/2024
Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in AREOI All Bootstrap Blocks allows Stored XSS.This issue affects All Bootstrap Blocks: from n/a through 1.3.15.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
14/05/2024

CVE-2024-35049
Publication date:
14/05/2024
SurveyKing v1.3.1 was discovered to keep users&amp;#39; sessions active after logout. Related to an incomplete fix for CVE-2022-25590.
Severity CVSS v4.0: Pending analysis
Last modification:
23/04/2025
Subscribe to Vulnerabilities