Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-6564
Publication date:
08/02/2024
An issue has been discovered in GitLab EE Premium and Ultimate affecting versions 16.4.3, 16.5.3, and 16.6.1. In projects using subgroups to define who can push and/or merge to protected branches, there may have been instances in which subgroup members with the Developer role were able to push or merge to protected branches.
Severity CVSS v4.0: Pending analysis
Last modification:
03/10/2024

CVE-2024-24879
Publication date:
08/02/2024
Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in Yannick Lefebvre Link Library allows Reflected XSS.This issue affects Link Library: from n/a through 7.5.13.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
15/10/2024

CVE-2024-24886
Publication date:
08/02/2024
Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in Acowebs Product Labels For Woocommerce (Sale Badges) allows Stored XSS.This issue affects Product Labels For Woocommerce (Sale Badges): from n/a through 1.5.3.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
15/02/2024

CVE-2024-22464
Publication date:
08/02/2024
<br /> Dell EMC AppSync, versions from 4.2.0.0 to 4.6.0.0 including all Service Pack releases, contain an exposure of sensitive information vulnerability in AppSync server logs. A high privileged remote attacker could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable system with privileges of the compromised account.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
15/02/2024

CVE-2023-6515
Publication date:
08/02/2024
Authorization Bypass Through User-Controlled Key vulnerability in Mia Technology Inc. MİA-MED allows Authentication Abuse.This issue affects MİA-MED: before 1.0.7.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
21/03/2024

CVE-2024-0965
Publication date:
08/02/2024
The Simple Page Access Restriction plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.21 via the REST API. This makes it possible for unauthenticated attackers to bypass the plugin&amp;#39;s page restriction and view page content.
Severity CVSS v4.0: Pending analysis
Last modification:
15/02/2024

CVE-2024-1207
Publication date:
08/02/2024
The WP Booking Calendar plugin for WordPress is vulnerable to SQL Injection via the &amp;#39;calendar_request_params[dates_ddmmyy_csv]&amp;#39; parameter in all versions up to, and including, 9.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity CVSS v4.0: Pending analysis
Last modification:
15/02/2024

CVE-2024-23452
Publication date:
08/02/2024
Request smuggling vulnerability in HTTP server in Apache bRPC 0.9.5~1.7.0 on all platforms allows attacker to smuggle request.<br /> <br /> Vulnerability Cause Description:<br /> <br /> The http_parser does not comply with the RFC-7230 HTTP 1.1 specification.<br /> <br /> Attack scenario:<br /> If a message is received with both a Transfer-Encoding and a Content-Length header field, such a message might indicate an attempt to perform request smuggling or response splitting.<br /> One particular attack scenario is that a bRPC made http server on the backend receiving requests in one persistent connection from frontend server that uses TE to parse request with the logic that &amp;#39;chunk&amp;#39; is contained in the TE field. in that case an attacker can smuggle a request into the connection to the backend server. <br /> <br /> Solution:<br /> You can choose one solution from below:<br /> 1. Upgrade bRPC to version 1.8.0, which fixes this issue. Download link: https://github.com/apache/brpc/releases/tag/1.8.0<br /> 2. Apply this patch:  https://github.com/apache/brpc/pull/2518
Severity CVSS v4.0: Pending analysis
Last modification:
04/06/2025

CVE-2024-24034
Publication date:
08/02/2024
Setor Informatica S.I.L version 3.0 is vulnerable to Open Redirect via the hprinter parameter, allows remote attackers to execute arbitrary code.
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2025

CVE-2024-0511
Publication date:
08/02/2024
The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.87. This is due to missing or incorrect nonce validation on the wpr_update_form_action_meta function. This makes it possible for unauthenticated attackers to post metadata via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity CVSS v4.0: Pending analysis
Last modification:
15/02/2024

CVE-2024-24091
Publication date:
08/02/2024
Yealink Meeting Server before v26.0.0.66 was discovered to contain an OS command injection vulnerability via the file upload interface.
Severity CVSS v4.0: Pending analysis
Last modification:
05/09/2024

CVE-2024-24216
Publication date:
08/02/2024
Zentao v18.0 to v18.10 was discovered to contain a remote code execution (RCE) vulnerability via the checkConnection method of /app/zentao/module/repo/model.php.
Severity CVSS v4.0: Pending analysis
Last modification:
08/05/2025
Subscribe to Vulnerabilities