Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-45077
Publication date:
24/01/2025
IBM Maximo Asset Management 7.6.1.3 MXAPIASSET API is vulnerable to unrestricted file upload which allows authenticated low privileged user to upload restricted file types with a simple method of adding a dot to the end of the file name if Maximo is installed on Windows operating system.
Severity CVSS v4.0: Pending analysis
Last modification:
14/08/2025

CVE-2024-13698
Publication date:
24/01/2025
The Jobify - Job Board WordPress Theme for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the 'download_image_via_ai' and 'generate_image_via_ai' functions in all versions up to, and including, 4.2.7. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application to upload files in an image format, and to generate AI images using the site's OpenAI key.
Severity CVSS v4.0: Pending analysis
Last modification:
07/02/2025

CVE-2024-25034
Publication date:
24/01/2025
IBM Planning Analytics 2.0 and 2.1 could be vulnerable to malicious file upload by not validating the type of file in the File Manager T1 process. Attackers can make use of this weakness and upload malicious executable files into the system that can be sent to victims for performing further attacks.
Severity CVSS v4.0: Pending analysis
Last modification:
04/03/2025

CVE-2025-0697
Publication date:
24/01/2025
A vulnerability, which was classified as problematic, was found in Telstra Smart Modem Gen 2 up to 20250115. This affects an unknown part of the component HTTP Header Handler. The manipulation of the argument Content-Disposition leads to injection. It is possible to initiate the attack remotely. The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: MEDIUM
Last modification:
24/01/2025

CVE-2025-22605
Publication date:
24/01/2025
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Starting in version 4.0.0-beta.18 and prior to 4.0.0-beta.253, a vulnerability in the execution of commands on remote servers allows an authenticated user to execute arbitrary code on the local Coolify container, gaining access to data and private keys or tokens of other users/teams. The ability to inject malicious commands into the Coolify container gives authenticated attackers the ability to fully retrieve and control the data and availability of the software. Centrally hosted Coolify instances (open registration and/or multiple teams with potentially untrustworthy users) are especially at risk, as sensitive data of all users and connected servers can be leaked by any user. Additionally, attackers are able to modify the running software, potentially deploying malicious images to remote nodes or generally changing its behavior. Version 4.0.0-beta.253 patches this issue.
Severity CVSS v4.0: HIGH
Last modification:
19/09/2025

CVE-2024-9493
Publication date:
24/01/2025
DLL hijacking vulnerabilities, caused by an uncontrolled search path in the <br /> <br /> ToolStick<br /> <br /> installer can lead to privilege escalation and arbitrary code execution when running the impacted installer.
Severity CVSS v4.0: Pending analysis
Last modification:
24/01/2025

CVE-2024-9494
Publication date:
24/01/2025
DLL hijacking vulnerabilities, caused by an uncontrolled search path in the <br /> <br /> <br /> <br /> CP210 VCP Win 2k<br /> <br /> <br /> <br /> installer can lead to privilege escalation and arbitrary code execution when running the impacted installer.
Severity CVSS v4.0: Pending analysis
Last modification:
24/01/2025

CVE-2024-9495
Publication date:
24/01/2025
DLL hijacking vulnerabilities, caused by an uncontrolled search path in the CP210x VCP Windows <br /> <br /> <br /> <br /> installer can lead to privilege escalation and arbitrary code execution when running the impacted installer.
Severity CVSS v4.0: Pending analysis
Last modification:
24/01/2025

CVE-2024-9496
Publication date:
24/01/2025
DLL hijacking vulnerabilities, caused by an uncontrolled search path in the USBXpress Dev Kit<br /> <br /> <br /> <br /> <br /> <br /> installer can lead to privilege escalation and arbitrary code execution when running the impacted installer.
Severity CVSS v4.0: Pending analysis
Last modification:
18/02/2025

CVE-2024-9497
Publication date:
24/01/2025
DLL hijacking vulnerabilities, caused by an uncontrolled search path in the USBXpress 4 SDK<br /> <br /> <br /> <br /> <br /> <br /> installer can lead to privilege escalation and arbitrary code execution when running the impacted installer.
Severity CVSS v4.0: Pending analysis
Last modification:
27/08/2025

CVE-2024-9498
Publication date:
24/01/2025
DLL hijacking vulnerabilities, caused by an uncontrolled search path in the USBXpress SDK<br /> <br /> <br /> <br /> <br /> <br /> installer can lead to privilege escalation and arbitrary code execution when running the impacted installer.
Severity CVSS v4.0: Pending analysis
Last modification:
18/02/2025

CVE-2024-9499
Publication date:
24/01/2025
DLL hijacking vulnerabilities, caused by an uncontrolled search path in the USBXpress Win 98SE Dev Kit installer can lead to privilege escalation and arbitrary code execution when running the impacted installer.
Severity CVSS v4.0: Pending analysis
Last modification:
18/02/2025
Subscribe to Vulnerabilities