Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-24131
Publication date:
07/02/2024
SuperWebMailer v9.31.0.01799 was discovered to contain a reflected cross-site scripting (XSS) vulenrability via the component api.php.
Severity CVSS v4.0: Pending analysis
Last modification:
05/06/2025

CVE-2024-24133
Publication date:
07/02/2024
Atmail v6.6.0 was discovered to contain a SQL injection vulnerability via the username parameter on the login page.
Severity CVSS v4.0: Pending analysis
Last modification:
22/08/2024

CVE-2024-24186
Publication date:
07/02/2024
Jsish v3.5.0 (commit 42c694c) was discovered to contain a stack-overflow via the component IterGetKeysCallback at /jsish/src/jsiValue.c.
Severity CVSS v4.0: Pending analysis
Last modification:
08/05/2025

CVE-2024-24188
Publication date:
07/02/2024
Jsish v3.5.0 was discovered to contain a heap-buffer-overflow in ./src/jsiUtils.c.
Severity CVSS v4.0: Pending analysis
Last modification:
09/06/2025

CVE-2024-24189
Publication date:
07/02/2024
Jsish v3.5.0 (commit 42c694c) was discovered to contain a use-after-free via the SplitChar at ./src/jsiUtils.c.
Severity CVSS v4.0: Pending analysis
Last modification:
20/06/2025

CVE-2024-24130
Publication date:
07/02/2024
Mail2World v12 Business Control Center was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the Usr parameter at resellercenter/login.asp.
Severity CVSS v4.0: Pending analysis
Last modification:
30/12/2025

CVE-2023-39196
Publication date:
07/02/2024
Improper Authentication vulnerability in Apache Ozone.<br /> <br /> The vulnerability allows an attacker to download metadata internal to the Storage Container Manager service without proper authentication.<br /> The attacker is not allowed to do any modification within the Ozone Storage Container Manager service using this vulnerability.<br /> The accessible metadata does not contain sensitive information that can be used to exploit the system later on, and the accessible data does not make it possible to gain access to actual user data within Ozone.<br /> This issue affects Apache Ozone: 1.2.0 and subsequent releases up until 1.3.0.<br /> <br /> Users are recommended to upgrade to version 1.4.0, which fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
13/02/2025

CVE-2024-1110
Publication date:
07/02/2024
The Podlove Podcast Publisher plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the init() function in all versions up to, and including, 4.0.11. This makes it possible for unauthenticated attackers to import the plugin&amp;#39;s settings.
Severity CVSS v4.0: Pending analysis
Last modification:
08/04/2026

CVE-2024-1118
Publication date:
07/02/2024
The Podlove Subscribe button plugin for WordPress is vulnerable to UNION-based SQL Injection via the &amp;#39;button&amp;#39; attribute of the podlove-subscribe-button shortcode in all versions up to, and including, 1.3.10 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity CVSS v4.0: Pending analysis
Last modification:
08/04/2026

CVE-2024-1109
Publication date:
07/02/2024
The Podlove Podcast Publisher plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the init_download() and init() functions in all versions up to, and including, 4.0.11. This makes it possible for unauthenticated attackers to export the plugin&amp;#39;s tracking data and podcast information.
Severity CVSS v4.0: Pending analysis
Last modification:
08/04/2026

CVE-2023-51437
Publication date:
07/02/2024
Observable timing discrepancy vulnerability in Apache Pulsar SASL Authentication Provider can allow an attacker to forge a SASL Role Token that will pass signature verification.<br /> Users are recommended to upgrade to version 2.11.3, 3.0.2, or 3.1.1 which fixes the issue. Users should also consider updating the configured secret in the `saslJaasServerRoleTokenSignerSecretPath` file.<br /> <br /> Any component matching an above version running the SASL Authentication Provider is affected. That includes the Pulsar Broker, Proxy, Websocket Proxy, or Function Worker.<br /> <br /> 2.11 Pulsar users should upgrade to at least 2.11.3.<br /> 3.0 Pulsar users should upgrade to at least 3.0.2.<br /> 3.1 Pulsar users should upgrade to at least 3.1.1.<br /> Any users running Pulsar 2.8, 2.9, 2.10, and earlier should upgrade to one of the above patched versions.<br /> <br /> For additional details on this attack vector, please refer to https://codahale.com/a-lesson-in-timing-attacks/ .<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
22/07/2024

CVE-2024-24311
Publication date:
07/02/2024
Path Traversal vulnerability in Linea Grafica "Multilingual and Multistore Sitemap Pro - SEO" (lgsitemaps) module for PrestaShop before version 1.6.6, a guest can download personal information without restriction.
Severity CVSS v4.0: Pending analysis
Last modification:
05/06/2025
Subscribe to Vulnerabilities