Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-45040
Publication date:
06/09/2024
gnark is a fast zk-SNARK library that offers a high-level API to design circuits. Prior to version 0.11.0, commitments to private witnesses in Groth16 as implemented break the zero-knowledge property. The vulnerability affects only Groth16 proofs with commitments. Notably, PLONK proofs are not affected. The vulnerability affects the zero-knowledge property of the proofs - in case the witness (secret or internal) values are small, then the attacker may be able to enumerate all possible choices to deduce the actual value. If the possible choices for the variables to be committed is large or there are many values committed, then it would be computationally infeasible to enumerate all valid choices. It doesn't affect the completeness/soundness of the proofs. The vulnerability has been fixed in version 0.11.0. The patch to fix the issue is to add additional randomized value to the list of committed value at proving time to mask the rest of the values which were committed. As a workaround, the user can manually commit to a randomized value.
Severity CVSS v4.0: Pending analysis
Last modification:
20/09/2024

CVE-2024-44739
Publication date:
06/09/2024
Sourcecodester Simple Forum Website v1.0 has a SQL injection vulnerability in /php-sqlite-forum/?page=manage_user&id=.
Severity CVSS v4.0: Pending analysis
Last modification:
30/04/2025

CVE-2024-1744
Publication date:
06/09/2024
Authorization Bypass Through User-Controlled Key, Missing Authorization vulnerability in Ariva Computer Accord ORS allows Retrieve Embedded Sensitive Data.This issue affects Accord ORS: before 7.3.2.1.
Severity CVSS v4.0: CRITICAL
Last modification:
14/10/2025

CVE-2023-52916
Publication date:
06/09/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: aspeed: Fix memory overwrite if timing is 1600x900<br /> <br /> When capturing 1600x900, system could crash when system memory usage is<br /> tight.<br /> <br /> The way to reproduce this issue:<br /> 1. Use 1600x900 to display on host<br /> 2. Mount ISO through &amp;#39;Virtual media&amp;#39; on OpenBMC&amp;#39;s web<br /> 3. Run script as below on host to do sha continuously<br /> #!/bin/bash<br /> while [ [1] ];<br /> do<br /> find /media -type f -printf &amp;#39;"%h/%f"\n&amp;#39; | xargs sha256sum<br /> done<br /> 4. Open KVM on OpenBMC&amp;#39;s web<br /> <br /> The size of macro block captured is 8x8. Therefore, we should make sure<br /> the height of src-buf is 8 aligned to fix this issue.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2023-52915
Publication date:
06/09/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: dvb-usb-v2: af9035: Fix null-ptr-deref in af9035_i2c_master_xfer<br /> <br /> In af9035_i2c_master_xfer, msg is controlled by user. When msg[i].buf<br /> is null and msg[i].len is zero, former checks on msg[i].buf would be<br /> passed. Malicious data finally reach af9035_i2c_master_xfer. If accessing<br /> msg[i].buf[0] without sanity check, null ptr deref would happen.<br /> We add check on msg[i].len to prevent crash.<br /> <br /> Similar commit:<br /> commit 0ed554fd769a<br /> ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()")
Severity CVSS v4.0: Pending analysis
Last modification:
10/09/2024

CVE-2024-8292
Publication date:
06/09/2024
The WP-Recall – Registration, Profile, Commerce &amp; More plugin for WordPress is vulnerable to privilege escalation/account takeover in all versions up to, and including, 16.26.8. This is due to to plugin not properly verifying a user&amp;#39;s identity during new order creation. This makes it possible for unauthenticated attackers to supply any email through the user_email field and update the password for that user during new order creation. This requires the commerce addon to be enabled in order to exploit.
Severity CVSS v4.0: Pending analysis
Last modification:
12/09/2024

CVE-2024-8317
Publication date:
06/09/2024
The WP AdCenter – Ad Manager &amp; Adsense Ads plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘ad_alignment’ attribute in all versions up to, and including, 2.5.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
11/09/2024

CVE-2024-8427
Publication date:
06/09/2024
The Frontend Post Submission Manager Lite – Frontend Posting WordPress Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_global_settings and process_form_edit functions in all versions up to, and including, 1.2.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin&amp;#39;s settings and forms.
Severity CVSS v4.0: Pending analysis
Last modification:
11/09/2024

CVE-2024-7349
Publication date:
06/09/2024
The LifterLMS – WP LMS for eLearning, Online Courses, &amp; Quizzes plugin for WordPress is vulnerable to blind SQL Injection via the &amp;#39;order&amp;#39; parameter in all versions up to, and including, 7.7.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity CVSS v4.0: Pending analysis
Last modification:
12/09/2024

CVE-2024-6792
Publication date:
06/09/2024
The WP ULike WordPress plugin before 4.7.2.1 does not properly sanitize user display names when rendering on a public page.
Severity CVSS v4.0: Pending analysis
Last modification:
11/04/2025

CVE-2024-38486
Publication date:
06/09/2024
Dell SmartFabric OS10 Software, version(s) 10.5.5.4 through 10.5.5.10 and 10.5.6.x , contain(s) an Improper Neutralization of Special Elements used in a Command (&amp;#39;Command Injection&amp;#39;) vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Command execution.
Severity CVSS v4.0: Pending analysis
Last modification:
13/09/2024

CVE-2024-39585
Publication date:
06/09/2024
Dell SmartFabric OS10 Software, version(s) 10.5.5.4 through 10.5.5.10 and 10.5.6.x, contain(s) an Use of Hard-coded Password vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Client-side request forgery and Information disclosure.
Severity CVSS v4.0: Pending analysis
Last modification:
17/09/2024
Subscribe to Vulnerabilities