Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-8437
Publication date:
25/09/2024
The WP Easy Gallery – WordPress Gallery Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions hooked via AJAX like wpeg_settings and wpeg_add_gallery in all versions up to, and including, 4.8.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify galleries.
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2025

CVE-2024-8436
Publication date:
25/09/2024
The WP Easy Gallery – WordPress Gallery Plugin plugin for WordPress is vulnerable to SQL Injection via the 'edit_imageId' and 'edit_imageDelete' parameters in all versions up to, and including, 4.8.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity CVSS v4.0: Pending analysis
Last modification:
26/09/2025

CVE-2024-8497
Publication date:
25/09/2024
Franklin Fueling Systems TS-550 EVO versions prior to 2.26.4.8967 possess a file that can be read arbitrarily that could allow an attacker obtain administrator credentials.
Severity CVSS v4.0: HIGH
Last modification:
15/04/2026

CVE-2024-7398
Publication date:
25/09/2024
Concrete CMS versions 9 through 9.3.3 and versions below 8.5.19 are vulnerable to stored XSS in the calendar event addition feature because the calendar event name was not sanitized on output. Users or groups with permission to create event calendars can embed scripts, and users or groups with permission to modify event calendars can execute scripts. The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 4.6 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N Thank you, Yusuke Uchida for reporting. CNA updated this risk rank on 20 Jan 2025 by lowering the AC based on CVSS 4.0 documentation that access privileges should not be considered for AC)
Severity CVSS v4.0: MEDIUM
Last modification:
21/01/2025

CVE-2024-8267
Publication date:
25/09/2024
The Radio Player – Live Shoutcast, Icecast and Any Audio Stream Player for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'align' attribute within the 'wp:radio-player' Gutenberg block in all versions up to, and including, 2.0.78 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2025

CVE-2024-8103
Publication date:
25/09/2024
The WP Category Dropdown plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'align' parameter in all versions up to, and including, 1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
08/04/2026

CVE-2024-8067
Publication date:
25/09/2024
In versions of Helix Core prior to 2024.1 Patch 2 (2024.1/2655224) a Windows ANSI API Unicode "best fit" argument injection was identified.
Severity CVSS v4.0: MEDIUM
Last modification:
15/04/2026

CVE-2024-46610
Publication date:
25/09/2024
An access control issue in IceCMS v3.4.7 and before allows attackers to arbitrarily modify users' information, including username and password, via a crafted POST request sent to the endpoint /User/ChangeUser/s in the ChangeUser function in UserController.java
Severity CVSS v4.0: Pending analysis
Last modification:
30/09/2024

CVE-2024-46934
Publication date:
25/09/2024
Rocket.Chat 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, 6.7.8, and earlier is vulnerable to DOM-based Cross-site Scripting (XSS). Attackers may be able to abuse the UpdateOTRAck method to forge a message that contains an XSS payload.
Severity CVSS v4.0: Pending analysis
Last modification:
25/03/2025

CVE-2024-46935
Publication date:
25/09/2024
Rocket.Chat 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, 6.7.8, and earlier is vulnerable to denial of service (DoS). Attackers who craft messages with specific characters may crash the workspace due to an issue in the message parser.
Severity CVSS v4.0: Pending analysis
Last modification:
25/03/2025

CVE-2024-47048
Publication date:
25/09/2024
Rocket.Chat 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, 6.7.8, and earlier allows stored XSS in the description and release notes of the marketplace and private apps.
Severity CVSS v4.0: Pending analysis
Last modification:
25/03/2025

CVE-2024-46607
Publication date:
25/09/2024
Incorrect access control in IceCMS v3.4.7 and before allows attackers to authenticate by entering any arbitrary values as the username and password via the loginAdmin method in the UserController.java file.
Severity CVSS v4.0: Pending analysis
Last modification:
28/04/2025
Subscribe to Vulnerabilities