Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-47479
Publication date:
22/05/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> staging: rtl8712: fix use-after-free in rtl8712_dl_fw<br /> <br /> Syzbot reported use-after-free in rtl8712_dl_fw(). The problem was in<br /> race condition between r871xu_dev_remove() -&gt;ndo_open() callback.<br /> <br /> It&amp;#39;s easy to see from crash log, that driver accesses released firmware<br /> in -&gt;ndo_open() callback. It may happen, since driver was releasing<br /> firmware _before_ unregistering netdev. Fix it by moving<br /> unregister_netdev() before cleaning up resources.<br /> <br /> Call Trace:<br /> ...<br /> rtl871x_open_fw drivers/staging/rtl8712/hal_init.c:83 [inline]<br /> rtl8712_dl_fw+0xd95/0xe10 drivers/staging/rtl8712/hal_init.c:170<br /> rtl8712_hal_init drivers/staging/rtl8712/hal_init.c:330 [inline]<br /> rtl871x_hal_init+0xae/0x180 drivers/staging/rtl8712/hal_init.c:394<br /> netdev_open+0xe6/0x6c0 drivers/staging/rtl8712/os_intfs.c:380<br /> __dev_open+0x2bc/0x4d0 net/core/dev.c:1484<br /> <br /> Freed by task 1306:<br /> ...<br /> release_firmware+0x1b/0x30 drivers/base/firmware_loader/main.c:1053<br /> r871xu_dev_remove+0xcc/0x2c0 drivers/staging/rtl8712/usb_intf.c:599<br /> usb_unbind_interface+0x1d8/0x8d0 drivers/usb/core/driver.c:458
Severity CVSS v4.0: Pending analysis
Last modification:
24/09/2025

CVE-2021-47480
Publication date:
22/05/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: core: Put LLD module refcnt after SCSI device is released<br /> <br /> SCSI host release is triggered when SCSI device is freed. We have to make<br /> sure that the low-level device driver module won&amp;#39;t be unloaded before SCSI<br /> host instance is released because shost-&gt;hostt is required in the release<br /> handler.<br /> <br /> Make sure to put LLD module refcnt after SCSI device is released.<br /> <br /> Fixes a kernel panic of &amp;#39;BUG: unable to handle page fault for address&amp;#39;<br /> reported by Changhui and Yi.
Severity CVSS v4.0: Pending analysis
Last modification:
29/09/2025

CVE-2024-32988
Publication date:
22/05/2024
&amp;#39;OfferBox&amp;#39; App for Android versions 2.0.0 to 2.3.17 and &amp;#39;OfferBox&amp;#39; App for iOS versions 2.1.7 to 2.6.14 use a hard-coded secret key for JWT. Secret key for JWT may be retrieved if the application binary is reverse-engineered.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2024

CVE-2024-3666
Publication date:
22/05/2024
The Opal Estate Pro – Property Management and Submission plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the agent latitude and longitude parameters in all versions up to, and including, 1.7.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
22/05/2024

CVE-2024-3671
Publication date:
22/05/2024
The Print-O-Matic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin&amp;#39;s &amp;#39;print-me&amp;#39; shortcode in all versions up to, and including, 2.1.10 due to insufficient input sanitization and output escaping on user supplied attributes such as &amp;#39;tag&amp;#39;. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
22/05/2024

CVE-2024-4157
Publication date:
22/05/2024
The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag &amp; Drop WP Form Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.1.15 via deserialization of untrusted input in the extractDynamicValues function. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. Successful exploitation requires the attacker to have "View Form" and "Manage Form" permissions, which must be explicitly set by an administrator. However, this requirement can be bypassed when this vulnerability is chained with CVE-2024-2771.
Severity CVSS v4.0: Pending analysis
Last modification:
06/02/2025

CVE-2024-5147
Publication date:
22/05/2024
The WPZOOM Addons for Elementor (Templates, Widgets) plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1.37 via the &amp;#39;grid_style&amp;#39; parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Severity CVSS v4.0: Pending analysis
Last modification:
05/02/2025

CVE-2024-2119
Publication date:
22/05/2024
The LuckyWP Table of Contents plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the attrs parameter in all versions up to, and including, 2.1.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity CVSS v4.0: Pending analysis
Last modification:
28/05/2025

CVE-2024-2163
Publication date:
22/05/2024
The Ninja Beaver Add-ons for Beaver Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin&amp;#39;s widgets in all versions up to, and including, 2.4.5 due to insufficient input sanitization and output escaping on user supplied attributes such as urls. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
22/05/2024

CVE-2024-2953
Publication date:
22/05/2024
The LuckyWP Table of Contents plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in versions up to, and including, 2.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with Contributor permissions and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
28/05/2025

CVE-2023-6487
Publication date:
22/05/2024
The LuckyWP Table of Contents plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Header Title&amp;#39; field in all versions up to and including 2.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Severity CVSS v4.0: Pending analysis
Last modification:
28/05/2025

CVE-2024-0632
Publication date:
22/05/2024
The Automatic Translator with Google Translate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom font setting in all versions up to, and including, 1.5.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Severity CVSS v4.0: Pending analysis
Last modification:
22/05/2024
Subscribe to Vulnerabilities