Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-22253
Publication date:
05/03/2024
VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the UHCI USB controller. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed.
Severity CVSS v4.0: Pending analysis
Last modification:
07/05/2025

CVE-2024-27565
Publication date:
05/03/2024
A Server-Side Request Forgery (SSRF) in weixin.php of ChatGPT-wechat-personal commit a0857f6 allows attackers to force the application to make arbitrary requests.
Severity CVSS v4.0: Pending analysis
Last modification:
21/01/2025

CVE-2024-27929
Publication date:
05/03/2024
ImageSharp is a managed, cross-platform, 2D graphics library. A heap-use-after-free flaw was found in ImageSharp's InitializeImage() function of PngDecoderCore.cs file. This vulnerability is triggered when an attacker passes a specially crafted PNG image file to ImageSharp for conversion, potentially leading to information disclosure. This issue has been patched in versions 3.1.3 and 2.1.7.
Severity CVSS v4.0: Pending analysis
Last modification:
21/01/2025

CVE-2024-27931
Publication date:
05/03/2024
Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Insufficient validation of parameters in `Deno.makeTemp*` APIs would allow for creation of files outside of the allowed directories. This may allow the user to overwrite important files on the system that may affect other systems. A user may provide a prefix or suffix to a `Deno.makeTemp*` API containing path traversal characters. This is fixed in Deno 1.41.1.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
03/01/2025

CVE-2024-27561
Publication date:
05/03/2024
A Server-Side Request Forgery (SSRF) in the installUpdateThemePluginAction function of WonderCMS v3.1.3 allows attackers to force the application to make arbitrary requests via injection of crafted URLs into the installThemePlugin parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
21/01/2025

CVE-2024-27563
Publication date:
05/03/2024
A Server-Side Request Forgery (SSRF) in the getFileFromRepo function of WonderCMS v3.1.3 allows attackers to force the application to make arbitrary requests via injection of crafted URLs into the pluginThemeUrl parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
21/01/2025

CVE-2024-27564
Publication date:
05/03/2024
pictureproxy.php in the dirk1983 mm1.ltd source code f9f4bbc allows SSRF via the url parameter. NOTE: the references section has an archived copy of pictureproxy.php from its original GitHub location, but the repository name might later change because it is misleading.
Severity CVSS v4.0: Pending analysis
Last modification:
20/03/2025

CVE-2022-46088
Publication date:
05/03/2024
Online Flight Booking Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the feedback form.
Severity CVSS v4.0: Pending analysis
Last modification:
08/01/2025

CVE-2024-24098
Publication date:
05/03/2024
Code-projects Scholars Tracking System 1.0 is vulnerable to SQL Injection via the News Feed.
Severity CVSS v4.0: Pending analysis
Last modification:
23/10/2025

CVE-2024-27622
Publication date:
05/03/2024
A remote code execution vulnerability has been identified in the User Defined Tags module of CMS Made Simple version 2.2.19 / 2.2.21. This vulnerability arises from inadequate sanitization of user-supplied input in the &amp;#39;Code&amp;#39; section of the module. As a result, authenticated users with administrative privileges can inject and execute arbitrary PHP code.
Severity CVSS v4.0: Pending analysis
Last modification:
28/03/2025

CVE-2024-27625
Publication date:
05/03/2024
CMS Made Simple Version 2.2.19 is vulnerable to Cross Site Scripting (XSS). This vulnerability resides in the File Manager module of the admin panel. Specifically, the issue arises due to inadequate sanitization of user input in the "New directory" field.
Severity CVSS v4.0: Pending analysis
Last modification:
28/03/2025

CVE-2024-27627
Publication date:
05/03/2024
A reflected cross-site scripting (XSS) vulnerability exists in SuperCali version 1.1.0, allowing remote attackers to execute arbitrary JavaScript code via the email parameter in the bad_password.php page.
Severity CVSS v4.0: Pending analysis
Last modification:
05/08/2024
Subscribe to Vulnerabilities