Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-2041
Publication date:
06/05/2024
Rejected reason: ***DUPLICATE** Please use CVE-2024-3241 instead.
Severity CVSS v4.0: Pending analysis
Last modification:
06/05/2024

CVE-2024-33749
Publication date:
06/05/2024
DedeCMS V5.7.114 is vulnerable to deletion of any file via mail_file_manage.php.
Severity CVSS v4.0: Pending analysis
Last modification:
01/04/2025

CVE-2024-33788
Publication date:
06/05/2024
Linksys E5600 v1.1.0.26 was discovered to contain a command injection vulnerability via the PinCode parameter at /API/info form endpoint.
Severity CVSS v4.0: Pending analysis
Last modification:
11/06/2025

CVE-2024-33829
Publication date:
06/05/2024
idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/readDeal.php?mudi=updateWebCache.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2025

CVE-2024-33830
Publication date:
06/05/2024
idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/readDeal.php?mudi=clearWebCache.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2025

CVE-2023-49676
Publication date:
06/05/2024
An unauthenticated local attacker may trick a user to open corrupted project files to crash the system due to use after free vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
21/11/2024

CVE-2024-33753
Publication date:
06/05/2024
Section Camera V2.5.5.3116-S50-SMA-B20160811 and earlier versions allow the accounts and passwords of administrators and users to be changed without authorization.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2024

CVE-2024-3576
Publication date:
06/05/2024
The NPort 5100A Series firmware version v1.6 and prior versions are affected by web server XSS vulnerability. The vulnerability is caused by not correctly neutralizing user-controllable input before placing it in output. Malicious users may use the vulnerability to get sensitive information and escalate privileges.
Severity CVSS v4.0: Pending analysis
Last modification:
07/05/2024

CVE-2023-49675
Publication date:
06/05/2024
An unauthenticated local attacker may trick a user to open corrupted project files to execute arbitrary code or crash the system due to an out-of-bounds write vulnerability.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
21/11/2024

CVE-2023-6854
Publication date:
06/05/2024
The Breakdance plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin&amp;#39;s custom postmeta output in all versions up to, and including, 1.7.0 due to insufficient input sanitization and output escaping on user supplied post meta fields. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
08/04/2026

CVE-2024-23188
Publication date:
06/05/2024
Maliciously crafted E-Mail attachment names could be used to temporarily execute script code in the context of the users browser session. Common user interaction is required for the vulnerability to trigger. Attackers could perform malicious API requests or extract information from the users account. Please deploy the provided updates and patch releases. We now use safer methods of handling external content when embedding attachment information to the web interface. No publicly available exploits are known.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2024

CVE-2024-23193
Publication date:
06/05/2024
E-Mails exported as PDF were stored in a cache that did not consider specific session information for the related user account. Users of the same service node could access other users E-Mails in case they were exported as PDF for a brief moment until caches were cleared. Successful exploitation requires good timing and modification of multiple request parameters. Please deploy the provided updates and patch releases. The cache for PDF exports now takes user session information into consideration when performing authorization decisions. No publicly available exploits are known.
Severity CVSS v4.0: Pending analysis
Last modification:
10/04/2025
Subscribe to Vulnerabilities