Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-2408
Publication date:
09/06/2024
The openssl_private_decrypt function in PHP, when using PKCS1 padding (OPENSSL_PKCS1_PADDING, which is the default), is vulnerable to the Marvin Attack unless it is used with an OpenSSL version that includes the changes from this pull request: https://github.com/openssl/openssl/pull/13817 (rsa_pkcs1_implicit_rejection). These changes are part of OpenSSL 3.2 and have also been backported to stable versions of various Linux distributions, as well as to the PHP builds provided for Windows since the previous release. All distributors and builders should ensure that this version is used to prevent PHP from being vulnerable.<br /> <br /> PHP Windows builds for the versions 8.1.29, 8.2.20 and 8.3.8 and above include OpenSSL patches that fix the vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
21/03/2025

CVE-2024-37569
Publication date:
09/06/2024
An issue was discovered on Mitel 6869i through 4.5.0.41 and 5.x through 5.0.0.1018 devices. A command injection vulnerability exists in the hostname parameter taken in by the provis.html endpoint. The provis.html endpoint performs no sanitization on the hostname parameter (sent by an authenticated user), which is subsequently written to disk. During boot, the hostname parameter is executed as part of a series of shell commands. Attackers can achieve remote code execution in the root context by placing shell metacharacters in the hostname parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2024

CVE-2024-37570
Publication date:
09/06/2024
On Mitel 6869i 4.5.0.41 devices, the Manual Firmware Update (upgrade.html) page does not perform sanitization on the username and path parameters (sent by an authenticated user) before appending flags to the busybox ftpget command. This leads to $() command execution.
Severity CVSS v4.0: Pending analysis
Last modification:
25/10/2024

CVE-2024-4577
Publication date:
09/06/2024
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2024-35748
Publication date:
09/06/2024
Missing Authorization vulnerability in OPMC WooCommerce Dropshipping.This issue affects WooCommerce Dropshipping: from n/a through 5.0.4.
Severity CVSS v4.0: Pending analysis
Last modification:
12/06/2024

CVE-2024-5585
Publication date:
09/06/2024
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, the fix for CVE-2024-1874 does not work if the command name includes trailing spaces. Original issue: when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.
Severity CVSS v4.0: Pending analysis
Last modification:
28/07/2024

CVE-2024-37568
Publication date:
09/06/2024
lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. (This is similar to CVE-2022-29217 and CVE-2024-33663.)
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2024-5458
Publication date:
09/06/2024
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when validating URLs (FILTER_VALIDATE_URL) for certain types of URLs the function will result in invalid user information (username + password part of URLs) being treated as valid user information. This may lead to the downstream code accepting invalid URLs as valid and parsing them incorrectly.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2024-32081
Publication date:
09/06/2024
Missing Authorization vulnerability in Websupporter Filter Custom Fields &amp; Taxonomies Light.This issue affects Filter Custom Fields &amp; Taxonomies Light: from n/a through 1.05.
Severity CVSS v4.0: Pending analysis
Last modification:
12/06/2024

CVE-2024-34802
Publication date:
09/06/2024
Missing Authorization vulnerability in AdFoxly AdFoxly – Ad Manager, AdSense Ads &amp; Ads.Txt.This issue affects AdFoxly – Ad Manager, AdSense Ads &amp; Ads.Txt: from n/a through 1.8.5.
Severity CVSS v4.0: Pending analysis
Last modification:
12/06/2024

CVE-2024-35661
Publication date:
09/06/2024
Missing Authorization vulnerability in SoftLab Upload Fields for WPForms.This issue affects Upload Fields for WPForms: from n/a through 1.0.2.
Severity CVSS v4.0: Pending analysis
Last modification:
12/06/2024

CVE-2024-35662
Publication date:
09/06/2024
Missing Authorization vulnerability in Andreas Sofantzis Simple COD Fees for WooCommerce.This issue affects Simple COD Fees for WooCommerce: from n/a through 2.0.2.
Severity CVSS v4.0: Pending analysis
Last modification:
12/06/2024
Subscribe to Vulnerabilities