Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-22208

Publication date:

05/02/2024

phpMyFAQ is an Open Source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. The &#39;sharing FAQ&#39; functionality allows any unauthenticated actor to misuse the phpMyFAQ application to send arbitrary emails to a large range of targets. The phpMyFAQ application has a functionality where anyone can share a FAQ item to others. The front-end of this functionality allows any phpMyFAQ articles to be shared with 5 email addresses. Any unauthenticated actor can perform this action. There is a CAPTCHA in place, however the amount of people you email with a single request is not limited to 5 by the backend. An attacker can thus solve a single CAPTCHA and send thousands of emails at once. An attacker can utilize the target application&#39;s email server to send phishing messages. This can get the server on a blacklist, causing all emails to end up in spam. It can also lead to reputation damages. This issue has been patched in version 3.2.5.

Severity CVSS v4.0: Pending analysis

Last modification:

12/02/2024

CVE-2023-51951

Publication date:

05/02/2024

SQL Injection vulnerability in Stock Management System 1.0 allows a remote attacker to execute arbitrary code via the id parameter in the manage_bo.php file.

Severity CVSS v4.0: Pending analysis

Last modification:

06/02/2026

CVE-2023-27318

Publication date:

05/02/2024

StorageGRID (formerly StorageGRID Webscale) versions 11.6.0 through 11.6.0.13 are susceptible to a Denial of Service (DoS) vulnerability. A successful exploit could lead to a crash of the Local Distribution Router (LDR) service.

Severity CVSS v4.0: Pending analysis

Last modification:

12/02/2024

CVE-2023-50781

Publication date:

05/02/2024

A flaw was found in m2crypto. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

Severity CVSS v4.0: Pending analysis

Last modification:

26/02/2024

CVE-2024-22202

Publication date:

05/02/2024

phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. phpMyFAQ&#39;s user removal page allows an attacker to spoof another user&#39;s detail, and in turn make a compelling phishing case for removing another user&#39;s account. The front-end of this page doesn&#39;t allow changing the form details, an attacker can utilize a proxy to intercept this request and submit other data. Upon submitting this form, an email is sent to the administrator informing them that this user wants to delete their account. An administrator has no way of telling the difference between the actual user wishing to delete their account or the attacker issuing this for an account they do not control. This issue has been patched in version 3.2.5.

Severity CVSS v4.0: Pending analysis

Last modification:

13/02/2024

CVE-2024-22567

Publication date:

05/02/2024

File Upload vulnerability in MCMS 5.3.5 allows attackers to upload arbitrary files via crafted POST request to /ms/file/upload.do.

Severity CVSS v4.0: Pending analysis

Last modification:

17/06/2025

CVE-2024-24396

Publication date:

05/02/2024

Cross Site Scripting vulnerability in Stimulsoft GmbH Stimulsoft Dashboard.JS before v.2024.1.2 allows a remote attacker to execute arbitrary code via a crafted payload to the search bar component.

Severity CVSS v4.0: Pending analysis

Last modification:

26/08/2024

CVE-2024-24260

Publication date:

05/02/2024

media-server v1.0.0 was discovered to contain a Use-After-Free (UAF) vulnerability via the sip_subscribe_remove function at /uac/sip-uac-subscribe.c.

Severity CVSS v4.0: Pending analysis

Last modification:

26/08/2024

CVE-2024-24262

Publication date:

05/02/2024

media-server v1.0.0 was discovered to contain a Use-After-Free (UAF) vulnerability via the sip_uac_stop_timer function at /uac/sip-uac-transaction.c.

Severity CVSS v4.0: Pending analysis

Last modification:

06/06/2025

CVE-2024-24263

Publication date:

05/02/2024

Lotos WebServer v0.1.1 was discovered to contain a Use-After-Free (UAF) vulnerability via the response_append_status_line function at /lotos/src/response.c.

Severity CVSS v4.0: Pending analysis

Last modification:

12/06/2025