Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-24306

Publication date:

24/05/2021

The Ultimate Member – User Profile, User Registration, Login & Membership Plugin WordPress plugin before 2.1.20 did not properly sanitise, validate or encode the query string when generating a link to edit user&#39;s own profile, leading to an authenticated reflected Cross-Site Scripting issue. Knowledge of the targeted username is required to exploit this, and attackers would then need to make the related logged in user open a malicious link.

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2021-24307

Publication date:

24/05/2021

The All in One SEO – Best WordPress SEO Plugin – Easily Improve Your SEO Rankings before 4.1.0.2 enables authenticated users with "aioseo_tools_settings" privilege (most of the time admin) to execute arbitrary code on the underlying host. Users can restore plugin&#39;s configuration by uploading a backup .ini file in the section "Tool > Import/Export". However, the plugin attempts to unserialize values of the .ini file. Moreover, the plugin embeds Monolog library which can be used to craft a gadget chain and thus trigger system command execution.

Severity CVSS v4.0: Pending analysis

Last modification:

03/05/2022

CVE-2021-21001

Publication date:

24/05/2021

On WAGO PFC200 devices in different firmware versions with special crafted packets an authorised attacker with network access to the device can access the file system with higher privileges.

Severity CVSS v4.0: Pending analysis

Last modification:

15/08/2025

CVE-2021-21000

Publication date:

24/05/2021

On WAGO PFC200 devices in different firmware versions with special crafted packets an attacker with network access to the device could cause a denial of service for the login service of the runtime.

Severity CVSS v4.0: Pending analysis

Last modification:

15/08/2025

CVE-2021-33496

Publication date:

24/05/2021

Dutchcoders transfer.sh before 1.2.4 allows XSS via an inline view.

Severity CVSS v4.0: Pending analysis

Last modification:

27/05/2021

CVE-2021-33497

Publication date:

24/05/2021

Dutchcoders transfer.sh before 1.2.4 allows Directory Traversal for deleting files.

Severity CVSS v4.0: Pending analysis

Last modification:

27/05/2021

CVE-2021-20725

Publication date:

24/05/2021

Reflected cross-site scripting vulnerability in the admin page of [Calendar01] free edition ver1.0.1 and earlier allows a remote attacker to inject an arbitrary script via unspecified vectors.

Severity CVSS v4.0: Pending analysis

Last modification:

27/05/2021

CVE-2021-20726

Publication date:

24/05/2021

Untrusted search path vulnerability in The Installer of Overwolf 2.168.0.n and earlier allows an attacker to gain privileges and execute arbitrary code with the privilege of the user invoking the installer via a Trojan horse DLL in an unspecified directory.

Severity CVSS v4.0: Pending analysis

Last modification:

03/05/2022

CVE-2021-20724

Publication date:

24/05/2021

Reflected cross-site scripting vulnerability in the admin page of [Telop01] free edition ver1.0.1 and earlier allows a remote attacker to inject an arbitrary script via unspecified vectors.

Severity CVSS v4.0: Pending analysis

Last modification:

27/05/2021

CVE-2021-20723

Publication date:

24/05/2021

Reflected cross-site scripting vulnerability in [MailForm01] free edition (versions which the last updated date listed at the top of descriptions in the program file is from 2014 December 12 to 2018 July 27) allows a remote attacker to inject an arbitrary script via unspecified vectors.

Severity CVSS v4.0: Pending analysis

Last modification:

28/05/2021

CVE-2021-20722

Publication date:

24/05/2021

Untrusted search path vulnerability in the installers of ScanSnap Manager prior to versions V7.0L20 and the Software Download Installer prior to WinSSInst2JP.exe and WinSSInst2iX1500JP.exe allows an attacker to gain privileges and execute arbitrary code with the privilege of the user invoking the installer via a Trojan horse DLL in an unspecified directory.

Severity CVSS v4.0: Pending analysis

Last modification:

03/05/2022

CVE-2021-20713

Publication date:

24/05/2021

Privilege escalation vulnerability in QND Advance/Premium/Standard Ver.11.0.4i and earlier allows an attacker who can log in to the PC where the product&#39;s Windows client is installed to gain administrative privileges via unspecified vectors. As a result, sensitive information may be altered/obtained or unintended operations may be performed.

Severity CVSS v4.0: Pending analysis

Last modification:

03/06/2021

Subscribe to Vulnerabilities