Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-5891

Publication date:

12/06/2024

A vulnerability was found in Quay. If an attacker can obtain the client ID for an application, they can use an OAuth token to authenticate despite not having access to the organization from which the application was created. This issue is limited to authentication and not authorization. However, in configurations where endpoints rely only on authentication, a user may authenticate to applications they otherwise have no access to.

Severity CVSS v4.0: Pending analysis

Last modification:

04/10/2024

CVE-2024-36263

Publication date:

12/06/2024

** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Special Elements used in an SQL Command (&#39;SQL Injection&#39;) vulnerability in Apache Submarine Server Core. This issue affects Apache Submarine Server Core: all versions. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Severity CVSS v4.0: Pending analysis

Last modification:

15/07/2025

CVE-2024-36264

Publication date:

12/06/2024

** UNSUPPORTED WHEN ASSIGNED ** Improper Authentication vulnerability in Apache Submarine Commons Utils. If the user doesn&#39;t explicitly set `submarine.auth.default.secret`, a default value will be used. This issue affects Apache Submarine Commons Utils: from 0.8.0. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Severity CVSS v4.0: Pending analysis

Last modification:

20/03/2025

CVE-2024-1576

Publication date:

12/06/2024

SQL Injection vulnerability in MegaBIP software allows attacker to obtain site administrator privileges, including access to the administration panel and the ability to change the administrator password. This issue affects MegaBIP software versions through 5.09.

Severity CVSS v4.0: Pending analysis

Last modification:

14/08/2024

CVE-2024-1577

Publication date:

12/06/2024

Remote Code Execution vulnerability in MegaBIP software allows to execute arbitrary code on the server without requiring authentication by saving crafted by the attacker PHP code to one of the website files. This issue affects MegaBIP software versions through 5.11.2.

Severity CVSS v4.0: Pending analysis

Last modification:

14/08/2024

CVE-2024-1659

Publication date:

12/06/2024

Arbitrary File Upload vulnerability in MegaBIP software allows attacker to upload any file to the server (including a PHP code file) without an authentication. This issue affects MegaBIP software versions through 5.10.

Severity CVSS v4.0: Pending analysis

Last modification:

14/08/2024

CVE-2024-23445

Publication date:

12/06/2024

It was identified that if a cross-cluster API key https://www.elastic.co/guide/en/elasticsearch/reference/8.14/security-api-create-cross-cluster-api-key.html#security-api-create-cross-cluster-api-key-request-body restricts search for a given index using the query or the field_security parameter, and the same cross-cluster API key also grants replication for the same index, the search restrictions are not enforced during cross cluster search operations and search results may include documents and terms that should not be returned. This issue only affects the API key based security model for remote clusters https://www.elastic.co/guide/en/elasticsearch/reference/8.14/remote-clusters.html#remote-clusters-security-models that was previously a beta feature and is released as GA with 8.14.0

Severity CVSS v4.0: Pending analysis

Last modification:

26/09/2025

CVE-2024-5313

Publication date:

12/06/2024

CWE-668: Exposure of the Resource Wrong Sphere vulnerability exists that exposes a SSH interface over the product network interface. This does not allow to directly exploit the product or make any unintended operation as the SSH interface access is protected by an authentication mechanism. Impacts are limited to port scanning and fingerprinting activities as well as attempts to perform a potential denial of service attack on the exposed SSH interface.

Severity CVSS v4.0: Pending analysis

Last modification:

14/08/2024

CVE-2024-25949

Publication date:

12/06/2024

Dell OS10 Networking Switches, versions10.5.6.x, 10.5.5.x, 10.5.4.x and 10.5.3.x ,contain an improper authorization vulnerability. A remote authenticated attacker could potentially exploit this vulnerability leading to escalation of privileges.

Severity CVSS v4.0: Pending analysis

Last modification:

14/08/2024

CVE-2024-5056

Publication date:

12/06/2024

CWE-552: Files or Directories Accessible to External Parties vulnerability exists which may prevent user to update the device firmware and prevent proper behavior of the webserver when specific files or directories are removed from the filesystem.

Severity CVSS v4.0: Pending analysis

Last modification:

23/08/2024

CVE-2024-5211

Publication date:

12/06/2024

A path traversal vulnerability in mintplex-labs/anything-llm allowed a manager to bypass the `normalizePath()` function, intended to defend against path traversal attacks. This vulnerability enables the manager to read, delete, or overwrite the &#39;anythingllm.db&#39; database file and other files stored in the &#39;storage&#39; directory, such as internal communication keys and .env secrets. Exploitation of this vulnerability could lead to application compromise, denial of service (DoS) attacks, and unauthorized admin account takeover. The issue stems from improper validation of user-supplied input in the process of setting a custom logo for the app, which can be manipulated to achieve arbitrary file read, deletion, or overwrite, and to execute a DoS attack by deleting critical files required for the application&#39;s operation.

Severity CVSS v4.0: Pending analysis

Last modification:

15/07/2025

CVE-2024-5674

Publication date:

12/06/2024

The Newsletter - API v1 and v2 addon plugin for WordPress is vulnerable to unauthorized subscribers management due to PHP type juggling issue on the check_api_key function in all versions up to, and including, 2.4.5. This makes it possible for unauthenticated attackers to list, create or delete newsletter subscribers. This issue affects only sites running the PHP version below 8.0

Severity CVSS v4.0: Pending analysis

Last modification:

08/04/2026

Subscribe to Vulnerabilities