Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-9101
Publication date:
19/12/2024
A reflected cross-site scripting (XSS) vulnerability in the 'Entry Chooser' of phpLDAPadmin (version 1.2.1 through the latest version, 1.2.6.7) allows attackers to execute arbitrary JavaScript in the user's browser via the 'element' parameter, which is unsafely passed to the JavaScript 'eval' function. However, exploitation is limited to specific conditions where 'opener' is correctly set.
Severity CVSS v4.0: LOW
Last modification:
15/04/2026

CVE-2024-9102
Publication date:
19/12/2024
phpLDAPadmin since at least version 1.2.0 through the latest version 1.2.6.7 allows users to export elements from the LDAP directory into a Comma-Separated Value (CSV) file, but it does not neutralize special elements that could be interpreted as a command when the file is opened by a spreadsheet product. Thus, this could lead to CSV Formula Injection. NOTE: This vulnerability will not be addressed, the maintainer's position is that it is not the intention of phpLDAPadmin to control what data Administrators can put in their LDAP database, nor filter it on export.
Severity CVSS v4.0: MEDIUM
Last modification:
15/04/2026

CVE-2021-26102
Publication date:
19/12/2024
A relative path traversal vulnerability (CWE-23) in FortiWAN version 4.5.7 and below, 4.4 all versions may allow a remote non-authenticated attacker to delete files on the system by sending a crafted POST request. In particular, deleting specific configuration files will reset the Admin password to its default value.
Severity CVSS v4.0: Pending analysis
Last modification:
21/01/2025

CVE-2024-10244
Publication date:
19/12/2024
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ISDO Software Web Software allows SQL Injection.This issue affects Web Software: before 3.6.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2024-12784
Publication date:
19/12/2024
A vulnerability was found in itsourcecode Vehicle Management System 1.0. It has been classified as critical. Affected is an unknown function of the file editbill.php. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
22/12/2025

CVE-2024-12783
Publication date:
19/12/2024
A vulnerability was found in itsourcecode Vehicle Management System 1.0 and classified as problematic. This issue affects some unknown processing of the file /billaction.php. The manipulation of the argument extra-cost leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
10/01/2025

CVE-2021-32589
Publication date:
19/12/2024
A Use After Free (CWE-416) vulnerability in FortiManager version 7.0.0, version 6.4.5 and below, version 6.2.7 and below, version 6.0.10 and below, version 5.6.10 and below, version 5.4.7 and below, version 5.2.10 and below, version 5.0.12 and below and FortiAnalyzer version 7.0.0, version 6.4.5 and below, version 6.2.7 and below, version 6.0.10 and below, version 5.6.10 and below, version 5.4.7 and below, version 5.3.11, version 5.2.10 to 5.2.4 fgfmsd daemon may allow a remote, non-authenticated attacker to execute unauthorized code as root via sending a specifically crafted request to the fgfm port of the targeted device.
Severity CVSS v4.0: Pending analysis
Last modification:
31/01/2025

CVE-2024-12782
Publication date:
19/12/2024
A vulnerability has been found in Fujifilm Business Innovation Apeos C3070, Apeos C5570 and Apeos C6580 up to 24.8.28 and classified as critical. This vulnerability affects unknown code of the file /home/index.html#hashHome of the component Web Interface. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The vendor explains that "during technical verification it is not possible to reproduce any active actions like reboots which were mentioned in the original researcher disclosure."
Severity CVSS v4.0: MEDIUM
Last modification:
15/04/2026

CVE-2024-45818
Publication date:
19/12/2024
The hypervisor contains code to accelerate VGA memory accesses for HVM<br /> guests, when the (virtual) VGA is in "standard" mode. Locking involved<br /> there has an unusual discipline, leaving a lock acquired past the<br /> return from the function that acquired it. This behavior results in a<br /> problem when emulating an instruction with two memory accesses, both of<br /> which touch VGA memory (plus some further constraints which aren&amp;#39;t<br /> relevant here). When emulating the 2nd access, the lock that is already<br /> being held would be attempted to be re-acquired, resulting in a<br /> deadlock.<br /> <br /> This deadlock was already found when the code was first introduced, but<br /> was analysed incorrectly and the fix was incomplete. Analysis in light<br /> of the new finding cannot find a way to make the existing locking<br /> discipline work.<br /> <br /> In staging, this logic has all been removed because it was discovered<br /> to be accidentally disabled since Xen 4.7. Therefore, we are fixing the<br /> locking problem by backporting the removal of most of the feature. Note<br /> that even with the feature disabled, the lock would still be acquired<br /> for any accesses to the VGA MMIO region.
Severity CVSS v4.0: Pending analysis
Last modification:
20/05/2025

CVE-2024-45819
Publication date:
19/12/2024
PVH guests have their ACPI tables constructed by the toolstack. The<br /> construction involves building the tables in local memory, which are<br /> then copied into guest memory. While actually used parts of the local<br /> memory are filled in correctly, excess space that is being allocated is<br /> left with its prior contents.
Severity CVSS v4.0: Pending analysis
Last modification:
14/01/2026

CVE-2024-12626
Publication date:
19/12/2024
The AutomatorWP – Automator plugin for no-code automations, webhooks &amp; custom integrations in WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘a-0-o-search_field_value’ parameter in all versions up to, and including, 5.0.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. When used in conjunction with the plugin&amp;#39;s import and code action feature, this vulnerability can be leveraged to execute arbitrary code.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2024-37962
Publication date:
19/12/2024
Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in Agency Dominion Inc. Fusion fusion.This issue affects Fusion: from n/a through
Severity CVSS v4.0: Pending analysis
Last modification:
23/04/2026
Subscribe to Vulnerabilities