Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-47767
Publication date:
15/01/2026
10-Strike Network Inventory Explorer Pro 9.31 contains an unquoted service path vulnerability in the srvInventoryWebServer service running with LocalSystem privileges. Attackers can exploit the unquoted path by placing malicious executables in potential path segments to achieve privilege escalation and execute code with system-level permissions.
Severity CVSS v4.0: HIGH
Last modification:
16/01/2026

CVE-2021-47768
Publication date:
15/01/2026
ImportExportTools NG 10.0.4 contains a persistent HTML injection vulnerability in the email export module that allows remote attackers to inject malicious HTML payloads. Attackers can send emails with crafted HTML in the subject that execute during HTML export, potentially compromising user data or session credentials.
Severity CVSS v4.0: MEDIUM
Last modification:
16/01/2026

CVE-2021-47769
Publication date:
15/01/2026
Isshue Shopping Cart 3.5 contains a persistent cross-site scripting vulnerability in title input fields across stock, customer, and invoice modules. Attackers with privileged user accounts can inject malicious scripts that execute on preview, potentially enabling session hijacking and persistent phishing attacks.
Severity CVSS v4.0: MEDIUM
Last modification:
16/01/2026

CVE-2021-47771
Publication date:
15/01/2026
RDP Manager 4.9.9.3 contains a denial of service vulnerability in connection input fields that allows local attackers to crash the application. Attackers can add oversized entries in Verbindungsname and Server fields to permanently freeze and crash the software, potentially requiring full reinstallation.
Severity CVSS v4.0: MEDIUM
Last modification:
16/01/2026

CVE-2021-47772
Publication date:
15/01/2026
10-Strike Network Inventory Explorer Pro 9.31 contains a buffer overflow vulnerability in the text file import functionality that allows remote code execution. Attackers can craft a malicious text file with carefully constructed payload to trigger a reverse shell and execute arbitrary code on the target system.
Severity CVSS v4.0: HIGH
Last modification:
16/01/2026

CVE-2021-47761
Publication date:
15/01/2026
MilleGPG5 5.7.2 contains a local privilege escalation vulnerability that allows authenticated users to modify service executable files in the MariaDB bin directory. Attackers can replace the mysqld.exe with a malicious executable, which will execute with system privileges when the computer restarts.
Severity CVSS v4.0: HIGH
Last modification:
16/01/2026

CVE-2021-47762
Publication date:
15/01/2026
HTTPDebuggerPro 9.11 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path in the service configuration to inject malicious executables and gain elevated access to the system.
Severity CVSS v4.0: HIGH
Last modification:
16/01/2026

CVE-2021-47763
Publication date:
15/01/2026
Aimeos 2021.10 LTS contains a SQL injection vulnerability in the json api 'sort' parameter that allows attackers to inject malicious database queries. Attackers can manipulate the sort parameter to reveal table and column names by sending crafted GET requests to the jsonapi/review endpoint.
Severity CVSS v4.0: HIGH
Last modification:
16/01/2026

CVE-2021-47764
Publication date:
15/01/2026
AbsoluteTelnet 11.24 contains a denial of service vulnerability that allows local attackers to crash the application by manipulating DialUp connection and license name fields. Attackers can generate a 1000-character payload and paste it into specific input fields to trigger application crashes and force unexpected termination.
Severity CVSS v4.0: MEDIUM
Last modification:
16/01/2026

CVE-2021-47765
Publication date:
15/01/2026
AbsoluteTelnet 11.24 contains a denial of service vulnerability that allows local attackers to crash the application by manipulating username and error report fields. Attackers can trigger the crash by inserting 1000 characters into the username or email address fields, causing the application to become unresponsive.
Severity CVSS v4.0: MEDIUM
Last modification:
16/01/2026

CVE-2021-47753
Publication date:
15/01/2026
phpKF CMS 3.00 Beta y6 contains an unauthenticated file upload vulnerability that allows remote attackers to execute arbitrary code by bypassing file extension checks. Attackers can upload a PHP file disguised as a PNG, rename it, and execute system commands through a crafted web shell parameter.
Severity CVSS v4.0: CRITICAL
Last modification:
16/01/2026

CVE-2021-47754
Publication date:
15/01/2026
Arunna 1.0.0 contains a cross-site request forgery vulnerability that allows attackers to manipulate user profile settings without authentication. Attackers can craft a malicious form to change user details, including passwords, email, and administrative privileges by tricking authenticated users into submitting the form.
Severity CVSS v4.0: MEDIUM
Last modification:
16/01/2026
Subscribe to Vulnerabilities