Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-22275

Publication date:

21/05/2024

The vCenter Server contains a partial file read vulnerability. A malicious actor with administrative privileges on the vCenter appliance shell may exploit this issue to partially read arbitrary files containing sensitive data.

Severity CVSS v4.0: Pending analysis

Last modification:

27/06/2025

CVE-2024-31757

Publication date:

21/05/2024

An issue in TeraByte Unlimited Image for Windows v.3.64.0.0 and before and fixed in v.4.0.0.0 allows a local attacker to escalate privileges via the TBOFLHelper64.sys and TBOFLHelper.sys component.

Severity CVSS v4.0: Pending analysis

Last modification:

29/08/2024

CVE-2024-35056

Publication date:

21/05/2024

NASA AIT-Core v2.5.2 was discovered to contain multiple SQL injection vulnerabilities via the query_packets and insert functions.

Severity CVSS v4.0: Pending analysis

Last modification:

03/06/2025

CVE-2024-35057

Publication date:

21/05/2024

An issue in NASA AIT-Core v2.5.2 allows attackers to execute arbitrary code via a crafted packet.

Severity CVSS v4.0: Pending analysis

Last modification:

03/06/2025

CVE-2024-35058

Publication date:

21/05/2024

An issue in the API wait function of NASA AIT-Core v2.5.2 allows attackers to execute arbitrary code via supplying a crafted string.

Severity CVSS v4.0: Pending analysis

Last modification:

03/06/2025

CVE-2024-4154

Publication date:

21/05/2024

In lunary-ai/lunary version 1.2.2, an incorrect synchronization vulnerability allows unprivileged users to rename projects they do not have access to. Specifically, an unprivileged user can send a PATCH request to the project&#39;s endpoint with a new name for a project, despite not having the necessary permissions or being assigned to the project. This issue allows for unauthorized modification of project names, potentially leading to confusion or unauthorized access to project resources.

Severity CVSS v4.0: Pending analysis

Last modification:

31/01/2025

CVE-2024-34240

Publication date:

21/05/2024

QDOCS Smart School 7.0.0 is vulnerable to Cross Site Scripting (XSS) resulting in arbitrary code execution in admin functions related to adding or updating records.

Severity CVSS v4.0: Pending analysis

Last modification:

14/11/2025

CVE-2024-22273

Publication date:

21/05/2024

The storage controllers on VMware ESXi, Workstation, and Fusion have out-of-bounds read/write vulnerability. A malicious actor with access to a virtual machine with storage controllers enabled may exploit this issue to create a denial of service condition or execute code on the hypervisor from a virtual machine in conjunction with other issues.

Severity CVSS v4.0: Pending analysis

Last modification:

26/03/2025

CVE-2024-36052

Publication date:

21/05/2024

RARLAB WinRAR before 7.00, on Windows, allows attackers to spoof the screen output via ANSI escape sequences, a different issue than CVE-2024-33899.

Severity CVSS v4.0: Pending analysis

Last modification:

20/06/2025

CVE-2024-31844

Publication date:

21/05/2024

An issue was discovered in Italtel Embrace 1.6.4. The server does not properly handle application errors. In some cases, this leads to a disclosure of information about the server. An unauthenticated user is able craft specific requests in order to make the application generate an error. Inside an error message, some information about the server is revealed, such as the absolute path of the source code of the application. This kind of information can help an attacker to perform other attacks against the system. This can be exploited without authentication.

Severity CVSS v4.0: Pending analysis

Last modification:

13/03/2025

CVE-2024-31845

Publication date:

21/05/2024

An issue was discovered in Italtel Embrace 1.6.4. The product does not neutralize or incorrectly neutralizes output that is written to logs. The web application writes logs using a GET query string parameter. This parameter can be modified by an attacker, so that every action he performs is attributed to a different user. This can be exploited without authentication.

Severity CVSS v4.0: Pending analysis

Last modification:

21/05/2025

CVE-2024-31847

Publication date:

21/05/2024

An issue was discovered in Italtel Embrace 1.6.4. A stored cross-site scripting (XSS) vulnerability allows authenticated and unauthenticated remote attackers to inject arbitrary web script or HTML into a GET parameter. This reflects/stores the user input without sanitization.

Severity CVSS v4.0: Pending analysis

Last modification:

13/03/2025

Subscribe to Vulnerabilities