Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-56733
Publication date:
30/12/2024
Password Pusher is an open source application to communicate sensitive information over the web. A vulnerability has been reported in versions 1.50.3 and prior where an attacker can copy the session cookie before a user logs out, potentially allowing session hijacking. Although the session token is replaced and invalidated upon logout, if an attacker manages to capture the session cookie before this process, they can use the token to gain unauthorized access to the user's session until the token expires or is manually cleared. This vulnerability hinges on the attacker's ability to access the session cookie during an active session, either through a man-in-the-middle attack, by exploiting another vulnerability like XSS, or via direct access to the victim's device. Although there is no direct resolution to this vulnerability, it is recommended to always use the latest version of Password Pusher to best mitigate risk. If self-hosting, ensure Password Pusher is hosted exclusively over SSL connections to encrypt traffic and prevent session cookies from being intercepted in transit. Additionally, implement best practices in local security to safeguard user systems, browsers, and data against unauthorized access.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2024-12835
Publication date:
30/12/2024
Delta Electronics DRASimuCAD ICS File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Electronics DRASimuCAD. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.<br /> <br /> The specific flaw exists within the parsing of ICS files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-22415.
Severity CVSS v4.0: Pending analysis
Last modification:
11/07/2025

CVE-2024-12836
Publication date:
30/12/2024
Delta Electronics DRASimuCAD STP File Parsing Type Confusion Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Electronics DRASimuCAD. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.<br /> <br /> The specific flaw exists within the parsing of STP files. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-22450.
Severity CVSS v4.0: Pending analysis
Last modification:
11/07/2025

CVE-2024-12754
Publication date:
30/12/2024
AnyDesk Link Following Information Disclosure Vulnerability. This vulnerability allows local attackers to disclose sensitive information on affected installations of AnyDesk. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.<br /> <br /> The specific flaw exists within the handling of background images. By creating a junction, an attacker can abuse the service to read arbitrary files. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-23940.
Severity CVSS v4.0: Pending analysis
Last modification:
14/08/2025

CVE-2024-12828
Publication date:
30/12/2024
Webmin CGI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Webmin. Authentication is required to exploit this vulnerability. <br /> <br /> The specific flaw exists within the handling of CGI requests. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-22346.
Severity CVSS v4.0: Pending analysis
Last modification:
14/08/2025

CVE-2024-12834
Publication date:
30/12/2024
Delta Electronics DRASimuCAD STP File Parsing Type Confusion Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Electronics DRASimuCAD. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.<br /> <br /> The specific flaw exists within the parsing of STP files. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-22414.
Severity CVSS v4.0: Pending analysis
Last modification:
11/07/2025

CVE-2024-50701
Publication date:
30/12/2024
TeamPass before 3.1.3.1, when retrieving information about access rights for a folder, does not properly check whether a folder is in a user&amp;#39;s allowed folders list that has been defined by an admin.
Severity CVSS v4.0: Pending analysis
Last modification:
29/09/2025

CVE-2024-50702
Publication date:
30/12/2024
TeamPass before 3.1.3.1 does not properly check whether a mail_me (aka action_mail) operation is on behalf of an administrator or manager.
Severity CVSS v4.0: Pending analysis
Last modification:
29/09/2025

CVE-2024-50703
Publication date:
30/12/2024
TeamPass before 3.1.3.1 does not properly prevent a user from acting with the privileges of a different user_id.
Severity CVSS v4.0: Pending analysis
Last modification:
29/09/2025

CVE-2024-54181
Publication date:
30/12/2024
IBM WebSphere Automation 1.7.5 could allow a remote privileged user, who has authorized access to the swagger UI, to execute arbitrary code. Using specially crafted input, the user could exploit this vulnerability to execute arbitrary code on the system.
Severity CVSS v4.0: Pending analysis
Last modification:
28/03/2025

CVE-2024-10044
Publication date:
30/12/2024
A Server-Side Request Forgery (SSRF) vulnerability exists in the POST /worker_generate_stream API endpoint of the Controller API Server in lm-sys/fastchat, as of commit e208d5677c6837d590b81cb03847c0b9de100765. This vulnerability allows attackers to exploit the victim controller API server&amp;#39;s credentials to perform unauthorized web actions or access unauthorized web resources by combining it with the POST /register_worker endpoint.
Severity CVSS v4.0: Pending analysis
Last modification:
29/07/2025

CVE-2024-12993
Publication date:
30/12/2024
Infinix devices contain a pre-loaded "com.rlk.weathers" application, that exposes an unsecured content provider. An attacker can communicate with the provider and reveal the user’s location without any privileges. <br /> After multiple attempts to contact the vendor we did not receive any answer. We suppose this issue affects all Infinix Mobile devices.
Severity CVSS v4.0: MEDIUM
Last modification:
15/04/2026
Subscribe to Vulnerabilities