Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-13699
Publication date:
04/02/2025
The Qi Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘cursor’ parameter in all versions up to, and including, 1.8.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in versions 1.8.5, 1.8.6, and 1.8.7.
Severity CVSS v4.0: Pending analysis
Last modification:
05/02/2025

CVE-2025-24860
Publication date:
04/02/2025
Incorrect Authorization vulnerability in Apache Cassandra allowing users to access a datacenter or IP/CIDR groups they should not be able to when using CassandraNetworkAuthorizer or CassandraCIDRAuthorizer.<br /> <br /> Users with restricted data center access can update their own permissions via data control language (DCL) statements on affected versions.<br /> <br /> <br /> <br /> <br /> This issue affects Apache Cassandra: from 4.0.0 through 4.0.15 and from 4.1.0 through 4.1.7 for CassandraNetworkAuthorizer, and from 5.0.0 through 5.0.2 for both CassandraNetworkAuthorizer and CassandraCIDRAuthorizer.<br /> <br /> <br /> <br /> <br /> Operators using CassandraNetworkAuthorizer or CassandraCIDRAuthorizer on affected versions should review data access rules for potential breaches. Users are recommended to upgrade to versions 4.0.16, 4.1.8, 5.0.3, which fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
15/02/2025

CVE-2025-0890
Publication date:
04/02/2025
**UNSUPPORTED WHEN ASSIGNED**<br /> Insecure default credentials for the Telnet function in the legacy DSL CPE Zyxel VMG4325-B10A firmware version 1.00(AAFR.4)C0_20170615 could allow an attacker to log in to the management interface if the administrators have the option to change the default credentials but fail to do so.
Severity CVSS v4.0: Pending analysis
Last modification:
04/02/2025

CVE-2024-27137
Publication date:
04/02/2025
In Apache Cassandra it is possible for a local attacker without access<br /> to the Apache Cassandra process or configuration files to manipulate <br /> the RMI registry to perform a man-in-the-middle attack and capture user <br /> names and passwords used to access the JMX interface. The attacker can <br /> then use these credentials to access the JMX interface and perform <br /> unauthorized operations.<br /> <br /> <br /> This is same vulnerability that CVE-2020-13946 was issued for, but the Java option was changed in JDK10.<br /> <br /> <br /> This issue affects Apache Cassandra from 4.0.2 through 5.0.2 running Java 11.<br /> <br /> <br /> Operators are recommended to upgrade to a release equal to or later than 4.0.15, 4.1.8, or 5.0.3 which fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
15/02/2025

CVE-2025-23015
Publication date:
04/02/2025
Privilege Defined With Unsafe Actions vulnerability in Apache Cassandra. An user with MODIFY permission ON ALL KEYSPACES can escalate privileges to superuser within a targeted Cassandra cluster via unsafe actions to a system resource. Operators granting data MODIFY permission on all keyspaces on affected versions should review data access rules for potential breaches.<br /> <br /> This issue affects Apache Cassandra through 3.0.30, 3.11.17, 4.0.15, 4.1.7, 5.0.2.<br /> <br /> Users are recommended to upgrade to versions 3.0.31, 3.11.18, 4.0.16, 4.1.8, 5.0.3, which fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
15/02/2025

CVE-2024-13510
Publication date:
04/02/2025
The ShopSite plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.10. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity CVSS v4.0: Pending analysis
Last modification:
04/02/2025

CVE-2024-13529
Publication date:
04/02/2025
The SocialV - Social Network and Community BuddyPress Theme theme for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the &amp;#39;socialv_send_download_file&amp;#39; function in all versions up to, and including, 2.0.15. This makes it possible for authenticated attackers, with Subscriber-level access and above, to download arbitrary files from the target system.
Severity CVSS v4.0: Pending analysis
Last modification:
04/02/2025

CVE-2024-13733
Publication date:
04/02/2025
The SKT Blocks – Gutenberg based Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin&amp;#39;s skt-blocks/post-carousel block in all versions up to, and including, 1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
04/02/2025

CVE-2024-40891
Publication date:
04/02/2025
**UNSUPPORTED WHEN ASSIGNED**<br /> A post-authentication command injection vulnerability in the management commands of the legacy DSL CPE Zyxel VMG4325-B10A firmware version 1.00(AAFR.4)C0_20170615 could allow an authenticated attacker to execute operating system (OS) commands on an affected device via Telnet.
Severity CVSS v4.0: Pending analysis
Last modification:
12/02/2025

CVE-2024-40890
Publication date:
04/02/2025
**UNSUPPORTED WHEN ASSIGNED**<br /> A post-authentication command injection vulnerability in the CGI program of the legacy DSL CPE Zyxel VMG4325-B10A firmware version 1.00(AAFR.4)C0_20170615 could allow an authenticated attacker to execute operating system (OS) commands on an affected device by sending a crafted HTTP POST request.
Severity CVSS v4.0: Pending analysis
Last modification:
12/02/2025

CVE-2024-13356
Publication date:
04/02/2025
The DSGVO All in one for WP plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.6. This is due to missing or incorrect nonce validation in the user_remove_form.php file. This makes it possible for unauthenticated attackers to delete admin user accounts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity CVSS v4.0: Pending analysis
Last modification:
04/02/2025

CVE-2024-13403
Publication date:
04/02/2025
The WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, &amp; More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘fieldHTML’ parameter in all versions up to, and including, 1.9.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
04/02/2025
Subscribe to Vulnerabilities