Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2018-25241
Publication date:
04/04/2026
VPN Browser+ 1.1.0.0 contains a denial of service vulnerability that allows unauthenticated attackers to crash the application by submitting oversized input through the search functionality. Attackers can paste a large buffer of characters into the search bar to trigger an unhandled exception that terminates the application.
Severity CVSS v4.0: HIGH
Last modification:
16/04/2026

CVE-2018-25242
Publication date:
04/04/2026
One Search 1.1.0.0 contains a denial of service vulnerability that allows local attackers to crash the application by submitting excessively long input strings to the search functionality. Attackers can paste a buffer of 950 or more characters into the search bar to trigger an unhandled exception that crashes the application.
Severity CVSS v4.0: MEDIUM
Last modification:
16/04/2026

CVE-2018-25243
Publication date:
04/04/2026
FastTube 1.0.1.0 contains a denial of service vulnerability that allows local attackers to crash the application by submitting an excessively long string to the search functionality. Attackers can paste a buffer of 1900 characters into the search bar and trigger a crash when the search operation is executed.
Severity CVSS v4.0: MEDIUM
Last modification:
16/04/2026

CVE-2016-20056
Publication date:
04/04/2026
Spy Emergency build 23.0.205 contains an unquoted service path vulnerability in the SpyEmrgHealth and SpyEmrgSrv services that allows local attackers to escalate privileges by inserting malicious executables. Attackers can place executable files in the unquoted service path and trigger service restart or system reboot to execute code with LocalSystem privileges.
Severity CVSS v4.0: HIGH
Last modification:
16/04/2026

CVE-2016-20060
Publication date:
04/04/2026
Hotspot Shield 6.0.3 contains an unquoted service path vulnerability in the hshld service binary that allows local attackers to escalate privileges by injecting malicious executables. Attackers can place executable files in the service path and upon service restart or system reboot, the malicious code executes with LocalSystem privileges.
Severity CVSS v4.0: HIGH
Last modification:
16/04/2026

CVE-2016-20061
Publication date:
04/04/2026
sheed AntiVirus 2.3 contains an unquoted service path vulnerability in the ShavProt service that allows local attackers to escalate privileges by exploiting the service binary path. Attackers can insert a malicious executable in the unquoted path and trigger service restart or system reboot to execute code with LocalSystem privileges.
Severity CVSS v4.0: HIGH
Last modification:
16/04/2026

CVE-2016-20057
Publication date:
04/04/2026
NETGATE Registry Cleaner build 16.0.205 contains an unquoted service path vulnerability in the NGRegClnSrv service that allows local attackers to escalate privileges by exploiting the service binary path. Attackers can place a malicious executable in the unquoted path and trigger service restart or system reboot to execute code with LocalSystem privileges.
Severity CVSS v4.0: HIGH
Last modification:
20/04/2026

CVE-2016-20059
Publication date:
04/04/2026
IObit Malware Fighter 4.3.1 contains an unquoted service path vulnerability in the IMFservice and LiveUpdateSvc services that allows local attackers to escalate privileges. Attackers can insert a malicious executable file in the unquoted service path and trigger privilege escalation when the service restarts or the system reboots, executing code with LocalSystem privileges.
Severity CVSS v4.0: HIGH
Last modification:
27/04/2026

CVE-2016-20058
Publication date:
04/04/2026
Netgate AMITI Antivirus build 23.0.305 contains an unquoted service path vulnerability in the AmitiAvSrv and AmitiAntivirusHealth services that allows local attackers to escalate privileges. Attackers can place a malicious executable in the unquoted service path and trigger service restart or system reboot to execute code with LocalSystem privileges.
Severity CVSS v4.0: HIGH
Last modification:
27/04/2026

CVE-2016-20051
Publication date:
04/04/2026
Snews CMS 1.7 contains a cross-site request forgery vulnerability that allows attackers to change administrator credentials without authentication by crafting malicious HTML forms. Attackers can trick authenticated administrators into visiting a page containing a hidden form that submits POST requests to the changeup action, modifying the admin username and password parameters to gain unauthorized access.
Severity CVSS v4.0: MEDIUM
Last modification:
14/04/2026

CVE-2016-20052
Publication date:
04/04/2026
Snews CMS 1.7 contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files including PHP executables to the snews_files directory. Attackers can upload malicious PHP files through the multipart form-data upload endpoint and execute them by accessing the uploaded file path to achieve remote code execution.
Severity CVSS v4.0: CRITICAL
Last modification:
14/04/2026

CVE-2016-20053
Publication date:
04/04/2026
Redaxo CMS 5.2 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to create administrative user accounts by tricking authenticated administrators into visiting malicious pages. Attackers can craft HTML forms targeting the users endpoint with hidden fields containing admin credentials and account parameters to add new administrator accounts without user consent.
Severity CVSS v4.0: MEDIUM
Last modification:
14/04/2026
Subscribe to Vulnerabilities