Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-35057

Publication date:

21/05/2024

An issue in NASA AIT-Core v2.5.2 allows attackers to execute arbitrary code via a crafted packet.

Severity CVSS v4.0: Pending analysis

Last modification:

03/06/2025

CVE-2024-35058

Publication date:

21/05/2024

An issue in the API wait function of NASA AIT-Core v2.5.2 allows attackers to execute arbitrary code via supplying a crafted string.

Severity CVSS v4.0: Pending analysis

Last modification:

03/06/2025

CVE-2024-4154

Publication date:

21/05/2024

In lunary-ai/lunary version 1.2.2, an incorrect synchronization vulnerability allows unprivileged users to rename projects they do not have access to. Specifically, an unprivileged user can send a PATCH request to the project&#39;s endpoint with a new name for a project, despite not having the necessary permissions or being assigned to the project. This issue allows for unauthorized modification of project names, potentially leading to confusion or unauthorized access to project resources.

Severity CVSS v4.0: Pending analysis

Last modification:

31/01/2025

CVE-2024-34240

Publication date:

21/05/2024

QDOCS Smart School 7.0.0 is vulnerable to Cross Site Scripting (XSS) resulting in arbitrary code execution in admin functions related to adding or updating records.

Severity CVSS v4.0: Pending analysis

Last modification:

14/11/2025

CVE-2024-22273

Publication date:

21/05/2024

The storage controllers on VMware ESXi, Workstation, and Fusion have out-of-bounds read/write vulnerability. A malicious actor with access to a virtual machine with storage controllers enabled may exploit this issue to create a denial of service condition or execute code on the hypervisor from a virtual machine in conjunction with other issues.

Severity CVSS v4.0: Pending analysis

Last modification:

26/03/2025

CVE-2024-36052

Publication date:

21/05/2024

RARLAB WinRAR before 7.00, on Windows, allows attackers to spoof the screen output via ANSI escape sequences, a different issue than CVE-2024-33899.

Severity CVSS v4.0: Pending analysis

Last modification:

20/06/2025

CVE-2024-31844

Publication date:

21/05/2024

An issue was discovered in Italtel Embrace 1.6.4. The server does not properly handle application errors. In some cases, this leads to a disclosure of information about the server. An unauthenticated user is able craft specific requests in order to make the application generate an error. Inside an error message, some information about the server is revealed, such as the absolute path of the source code of the application. This kind of information can help an attacker to perform other attacks against the system. This can be exploited without authentication.

Severity CVSS v4.0: Pending analysis

Last modification:

13/03/2025

CVE-2024-31845

Publication date:

21/05/2024

An issue was discovered in Italtel Embrace 1.6.4. The product does not neutralize or incorrectly neutralizes output that is written to logs. The web application writes logs using a GET query string parameter. This parameter can be modified by an attacker, so that every action he performs is attributed to a different user. This can be exploited without authentication.

Severity CVSS v4.0: Pending analysis

Last modification:

21/05/2025

CVE-2024-31847

Publication date:

21/05/2024

An issue was discovered in Italtel Embrace 1.6.4. A stored cross-site scripting (XSS) vulnerability allows authenticated and unauthenticated remote attackers to inject arbitrary web script or HTML into a GET parameter. This reflects/stores the user input without sanitization.

Severity CVSS v4.0: Pending analysis

Last modification:

13/03/2025

CVE-2024-36039

Publication date:

21/05/2024

PyMySQL through 1.1.0 allows SQL injection if used with untrusted JSON input because keys are not escaped by escape_dict.

Severity CVSS v4.0: Pending analysis

Last modification:

24/06/2024

CVE-2024-27128

Publication date:

21/05/2024

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to execute code via a network.<br /> <br /> We have already fixed the vulnerability in the following version:<br /> QTS 5.1.7.2770 build 20240520 and later<br /> QuTS hero h5.1.7.2770 build 20240520 and later

Severity CVSS v4.0: Pending analysis

Last modification:

11/09/2024

CVE-2024-27129

Publication date:

21/05/2024

Severity CVSS v4.0: Pending analysis

Last modification:

11/09/2024

Subscribe to Vulnerabilities