Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-45819
Publication date:
19/12/2024
PVH guests have their ACPI tables constructed by the toolstack. The<br /> construction involves building the tables in local memory, which are<br /> then copied into guest memory. While actually used parts of the local<br /> memory are filled in correctly, excess space that is being allocated is<br /> left with its prior contents.
Severity CVSS v4.0: Pending analysis
Last modification:
14/01/2026

CVE-2024-12626
Publication date:
19/12/2024
The AutomatorWP – Automator plugin for no-code automations, webhooks &amp; custom integrations in WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘a-0-o-search_field_value’ parameter in all versions up to, and including, 5.0.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. When used in conjunction with the plugin&amp;#39;s import and code action feature, this vulnerability can be leveraged to execute arbitrary code.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2024-37962
Publication date:
19/12/2024
Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in Agency Dominion Inc. Fusion fusion.This issue affects Fusion: from n/a through
Severity CVSS v4.0: Pending analysis
Last modification:
23/04/2026

CVE-2024-12331
Publication date:
19/12/2024
The File Manager Pro – Filester plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the &amp;#39;ajax_install_plugin&amp;#39; function in all versions up to, and including, 1.8.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install the Filebird plugin.
Severity CVSS v4.0: Pending analysis
Last modification:
05/03/2025

CVE-2021-26115
Publication date:
19/12/2024
An OS command injection (CWE-78) vulnerability in FortiWAN version 4.5.7 and below Command Line Interface may allow a local, authenticated and unprivileged attacker to escalate their privileges to root via executing a specially-crafted command.An OS command injection (CWE-78) vulnerability in FortiWAN Command Line Interface may allow a local, authenticated and unprivileged attacker to escalate their privileges to root via executing a specially-crafted command.
Severity CVSS v4.0: Pending analysis
Last modification:
21/01/2025

CVE-2020-15934
Publication date:
19/12/2024
An execution with unnecessary privileges vulnerability in the VCM engine of FortiClient for Linux versions 6.2.7 and below, version 6.4.0. may allow local users to elevate their privileges to root by creating a malicious script or program on the target machine.
Severity CVSS v4.0: Pending analysis
Last modification:
21/01/2025

CVE-2020-12820
Publication date:
19/12/2024
Under non-default configuration, a stack-based buffer overflow in FortiOS version 6.0.10 and below, version 5.6.12 and below may allow a remote attacker authenticated to the SSL VPN to crash the FortiClient NAC daemon (fcnacd) and potentially execute arbitrary code via requesting a large FortiClient file name. We are not aware of proof of concept code successfully achieving the latter.
Severity CVSS v4.0: Pending analysis
Last modification:
21/01/2025

CVE-2023-4617
Publication date:
19/12/2024
Incorrect authorization vulnerability in HTTP POST method in Govee Home application on Android and iOS allows remote attacker to control devices owned by other users via changing "device", "sku" and "type" fields&amp;#39; values. <br /> This issue affects Govee Home applications on Android and iOS in versions before 5.9.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2024-11616
Publication date:
19/12/2024
Netskope was made aware of a security vulnerability in Netskope Endpoint DLP’s Content Control Driver where a double-fetch issue leads to heap overflow. The vulnerability arises from the fact that the NumberOfBytes argument to ExAllocatePoolWithTag, and the Length argument for RtlCopyMemory, both independently dereference their value from the user supplied input buffer inside the EpdlpSetUsbAction function, known as a double-fetch. If this length value grows to a higher value in between these two calls, it will result in the RtlCopyMemory call copying user-supplied memory contents outside the range of the allocated buffer, resulting in a heap overflow. A malicious attacker will need admin privileges to exploit the issue.<br /> This issue affects Endpoint DLP version below R119.
Severity CVSS v4.0: MEDIUM
Last modification:
15/04/2026

CVE-2024-12569
Publication date:
19/12/2024
Disclosure<br /> of sensitive information in a Milestone XProtect Device Pack driver’s log file for third-party cameras, allows an attacker to read camera<br /> credentials stored in the Recording Server under specific conditions.
Severity CVSS v4.0: MEDIUM
Last modification:
15/04/2026

CVE-2024-4229
Publication date:
19/12/2024
Incorrect Default Permissions vulnerability in Edgecross Basic Software for Windows versions 1.00 and later and Edgecross Basic Software for Developers versions 1.00 and later allows a malicious local attacker to execute an arbitrary malicious code, resulting in information disclosure, tampering with and deletion, or a denial-of-service (DoS) condition, if the product is installed in a folder other than a folder that only users with administrative privilege have permission to modify.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2024-4230
Publication date:
19/12/2024
External Control of File Name or Path vulnerability in Edgecross Basic Software for Windows versions 1.00 and later and Edgecross Basic Software for Developers versions 1.00 and later allows a malicious local attacker to execute an arbitrary malicious code, resulting in information disclosure, tampering with and deletion, or a denial-of-service (DoS) condition.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026
Subscribe to Vulnerabilities