Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-22107
Publication date:
02/02/2024
An issue was discovered in GTB Central Console 15.17.1-30814.NG. The method systemSettingsDnsDataAction at /opt/webapp/src/AppBundle/Controller/React/SystemSettingsController.php is vulnerable to command injection via the /old/react/v1/api/system/dns/data endpoint. An authenticated attacker can abuse it to inject an arbitrary command and compromise the platform.
Severity CVSS v4.0: Pending analysis
Last modification:
15/05/2025

CVE-2024-22108
Publication date:
02/02/2024
An issue was discovered in GTB Central Console 15.17.1-30814.NG. The method setTermsHashAction at /opt/webapp/lib/PureApi/CCApi.class.php is vulnerable to an unauthenticated SQL injection via /ccapi.php that an attacker can abuse in order to change the Administrator password to a known value.
Severity CVSS v4.0: Pending analysis
Last modification:
05/06/2025

CVE-2024-23824
Publication date:
02/02/2024
mailcow is a dockerized email package, with multiple containers linked in one bridged network. The application is vulnerable to pixel flood attack, once the payload has been successfully uploaded in the logo the application goes slow and doesn't respond in the admin page. It is tested on the versions 2023-12a and prior and patched in version 2024-01.
Severity CVSS v4.0: Pending analysis
Last modification:
10/02/2024

CVE-2024-23831
Publication date:
02/02/2024
LedgerSMB is a free web-based double-entry accounting system. When a LedgerSMB database administrator has an active session in /setup.pl, an attacker can trick the admin into clicking on a link which automatically submits a request to setup.pl without the admin&amp;#39;s consent. This request can be used to create a new user account with full application (/login.pl) privileges, leading to privilege escalation. The vulnerability is patched in versions 1.10.30 and 1.11.9.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
10/02/2024

CVE-2024-24029
Publication date:
02/02/2024
JFinalCMS 5.0.0 is vulnerable to SQL injection via /admin/content/data.
Severity CVSS v4.0: Pending analysis
Last modification:
12/06/2025

CVE-2024-24160
Publication date:
02/02/2024
MRCMS 3.0 contains a Cross-Site Scripting (XSS) vulnerability via /admin/system/saveinfo.do.
Severity CVSS v4.0: Pending analysis
Last modification:
09/05/2025

CVE-2024-24161
Publication date:
02/02/2024
MRCMS 3.0 contains an Arbitrary File Read vulnerability in /admin/file/edit.do as the incoming path parameter is not filtered.
Severity CVSS v4.0: Pending analysis
Last modification:
12/06/2025

CVE-2024-24470
Publication date:
02/02/2024
Cross Site Request Forgery vulnerability in flusity-CMS v.2.33 allows a remote attacker to execute arbitrary code via the update_post.php component.
Severity CVSS v4.0: Pending analysis
Last modification:
20/06/2025

CVE-2024-24757
Publication date:
02/02/2024
open-irs is an issue response robot that reponds to issues in the installed repository. The `.env` file was accidentally uploaded when working with git actions. This problem is fixed in 1.0.1. Discontinuing all sensitive keys and turning into secrets.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
10/02/2024

CVE-2023-50359
Publication date:
02/02/2024
An unchecked return value vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow local authenticated administrators to place the system in a state that could lead to a crash or other unintended behaviors via unspecified vectors.<br /> <br /> We have already fixed the vulnerability in the following versions:<br /> QTS 5.1.5.2645 build 20240116 and later<br /> QuTS hero h5.1.5.2647 build 20240118 and later<br />
Severity CVSS v4.0: Pending analysis
Last modification:
06/02/2024

CVE-2023-51838
Publication date:
02/02/2024
Ylianst MeshCentral 1.1.16 suffers from Use of a Broken or Risky Cryptographic Algorithm.
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2025

CVE-2023-6387
Publication date:
02/02/2024
A potential buffer overflow exists in the Bluetooth LE HCI CPC sample application in the Gecko SDK which may result in a denial of service or remote code execution
Severity CVSS v4.0: Pending analysis
Last modification:
25/09/2024
Subscribe to Vulnerabilities