Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-49118
Publication date:
02/02/2024
<br /> in OpenHarmony v3.2.4 and prior versions allow a local attacker causes information leak through out-of-bounds Read.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
09/09/2024

CVE-2024-0285
Publication date:
02/02/2024
<br /> in OpenHarmony v4.0.0 and prior versions allow a local attacker cause DOS through improper input.
Severity CVSS v4.0: Pending analysis
Last modification:
09/09/2024

CVE-2021-22282
Publication date:
02/02/2024
Improper Control of Generation of Code (&amp;#39;Code Injection&amp;#39;) vulnerability in B&amp;R Industrial Automation Automation Studio allows Local Execution of Code.This issue affects Automation Studio: from 4.0 through 4.12.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
10/02/2024

CVE-2023-43756
Publication date:
02/02/2024
<br /> in OpenHarmony v3.2.4 and prior versions allow a local attacker causes information leak through out-of-bounds Read.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
09/09/2024

CVE-2020-24681
Publication date:
02/02/2024
Incorrect Permission Assignment for Critical Resource vulnerability in B&amp;R Industrial Automation Automation Studio allows Privilege Escalation.This issue affects Automation Studio: from 4.6.0 through 4.6.X, from 4.7.0 before 4.7.7 SP, from 4.8.0 before 4.8.6 SP, from 4.9.0 before 4.9.4 SP.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
10/02/2024

CVE-2024-1047
Publication date:
02/02/2024
The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the register_reference() function in all versions up to, and including, 2.10.28. This makes it possible for unauthenticated attackers to update the connected API keys.
Severity CVSS v4.0: Pending analysis
Last modification:
08/02/2024

CVE-2024-1143
Publication date:
02/02/2024
Central Dogma versions prior to 0.64.1 is vulnerable to Cross-Site Scripting (XSS), which could allow for the leakage of user sessions and subsequent authentication bypass.
Severity CVSS v4.0: Pending analysis
Last modification:
03/06/2025

CVE-2024-1162
Publication date:
02/02/2024
The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.10.29. This is due to missing or incorrect nonce validation on the register_reference() function. This makes it possible for unauthenticated attackers to update the connected API keys via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity CVSS v4.0: Pending analysis
Last modification:
08/02/2024

CVE-2023-46045
Publication date:
02/02/2024
Graphviz 2.36.0 through 9.x before 10.0.1 has an out-of-bounds read via a crafted config6a file. NOTE: exploitability may be uncommon because this file is typically owned by root.
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2025

CVE-2024-24482
Publication date:
02/02/2024
Aprktool before 2.9.3 on Windows allows ../ and /.. directory traversal.
Severity CVSS v4.0: Pending analysis
Last modification:
29/08/2024

CVE-2024-1073
Publication date:
02/02/2024
The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the &amp;#39;filter_array&amp;#39; parameter in all versions up to, and including, 5.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
07/02/2024

CVE-2024-21485
Publication date:
02/02/2024
Versions of the package dash-core-components before 2.13.0; versions of the package dash-core-components before 2.0.0; versions of the package dash before 2.15.0; versions of the package dash-html-components before 2.0.0; versions of the package dash-html-components before 2.0.16 are vulnerable to Cross-site Scripting (XSS) when the href of the a tag is controlled by an adversary. An authenticated attacker who stores a view that exploits this vulnerability could steal the data that&amp;#39;s visible to another user who opens that view - not just the data already included on the page, but they could also, in theory, make additional requests and access other data accessible to this user. In some cases, they could also steal the access tokens of that user, which would allow the attacker to act as that user, including viewing other apps and resources hosted on the same server.<br /> <br /> **Note:**<br /> <br /> This is only exploitable in Dash apps that include some mechanism to store user input to be reloaded by a different user.
Severity CVSS v4.0: Pending analysis
Last modification:
15/05/2025
Subscribe to Vulnerabilities