Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-0766
Publication date:
11/09/2020
An elevation of privilege vulnerability exists when the Microsoft Store Runtime improperly handles memory.<br /> To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges.<br /> The security update addresses the vulnerability by correcting how the Microsoft Store Runtime handles memory.
Severity CVSS v4.0: Pending analysis
Last modification:
23/02/2026

CVE-2020-0782
Publication date:
11/09/2020
An elevation of privilege vulnerability exists when the Windows Cryptographic Catalog Services improperly handle objects in memory. An attacker who successfully exploited this vulnerability could modify the cryptographic catalog.<br /> To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.<br /> The security update addresses the vulnerability by addressing how the Windows Cryptographic Catalog Services handle objects in memory.
Severity CVSS v4.0: Pending analysis
Last modification:
23/02/2026

CVE-2020-0790
Publication date:
11/09/2020
A local elevation of privilege vulnerability exists in how splwow64.exe handles certain calls. An attacker who successfully exploited the vulnerability could elevate privileges on an affected system from low-integrity to medium-integrity.<br /> This vulnerability by itself does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability (such as a remote code execution vulnerability or another elevation of privilege vulnerability) that is capable of leveraging the elevated privileges when code execution is attempted.<br /> The security update addresses the vulnerability by ensuring splwow64.exe properly handles these calls..
Severity CVSS v4.0: Pending analysis
Last modification:
23/02/2026

CVE-2020-0805
Publication date:
11/09/2020
A security feature bypass vulnerability exists when a Windows Projected Filesystem improperly handles file redirections. An attacker who successfully exploited this vulnerability could delete a targeted file they would not have permissions to.<br /> To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability.<br /> The security update addresses the vulnerability by correcting how Windows Projected Filesystem handle file redirections.
Severity CVSS v4.0: Pending analysis
Last modification:
23/02/2026

CVE-2020-0836
Publication date:
11/09/2020
A denial of service vulnerability exists in Windows DNS when it fails to properly handle queries. An attacker who successfully exploited this vulnerability could cause the DNS service to become nonresponsive.<br /> To exploit the vulnerability, an authenticated attacker could send malicious DNS queries to a target, resulting in a denial of service.<br /> The update addresses the vulnerability by correcting how Windows DNS processes queries.
Severity CVSS v4.0: Pending analysis
Last modification:
23/02/2026

CVE-2020-15169
Publication date:
11/09/2020
In Action View before versions 5.2.4.4 and 6.0.3.3 there is a potential Cross-Site Scripting (XSS) vulnerability in Action View&amp;#39;s translation helpers. Views that allow the user to control the default (not found) value of the `t` and `translate` helpers could be susceptible to XSS attacks. When an HTML-unsafe string is passed as the default for a missing translation key named html or ending in _html, the default string is incorrectly marked as HTML-safe and not escaped. This is patched in versions 6.0.3.3 and 5.2.4.4. A workaround without upgrading is proposed in the source advisory.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-25276
Publication date:
11/09/2020
An issue was discovered in PrimeKey EJBCA 6.x and 7.x before 7.4.1. When using a client certificate to enroll over the EST protocol, no revocation check is performed on that certificate. This vulnerability can only affect a system that has EST configured, uses client certificates to authenticate enrollment, and has had such a certificate revoked. This certificate needs to belong to a role that is authorized to enroll new end entities. (To completely mitigate this problem prior to upgrade, remove any revoked client certificates from their respective roles.)
Severity CVSS v4.0: Pending analysis
Last modification:
16/09/2020

CVE-2020-15166
Publication date:
11/09/2020
In ZeroMQ before version 4.3.3, there is a denial-of-service vulnerability. Users with TCP transport public endpoints, even with CURVE/ZAP enabled, are impacted. If a raw TCP socket is opened and connected to an endpoint that is fully configured with CURVE/ZAP, legitimate clients will not be able to exchange any message. Handshakes complete successfully, and messages are delivered to the library, but the server application never receives them. This is patched in version 4.3.3.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2018-19946
Publication date:
11/09/2020
The vulnerability have been reported to affect earlier versions of Helpdesk. If exploited, this improper certificate validation vulnerability could allow an attacker to spoof a trusted entity by interfering in the communication path between the host and client. QNAP has already fixed the issue in Helpdesk 3.0.3 and later.
Severity CVSS v4.0: Pending analysis
Last modification:
16/09/2020

CVE-2018-19948
Publication date:
11/09/2020
The vulnerability have been reported to affect earlier versions of Helpdesk. If exploited, this cross-site request forgery (CSRF) vulnerability could allow attackers to force NAS users to execute unintentional actions through a web application. QNAP has already fixed the issue in Helpdesk 3.0.3 and later.
Severity CVSS v4.0: Pending analysis
Last modification:
16/09/2020

CVE-2018-19947
Publication date:
11/09/2020
The vulnerability have been reported to affect earlier versions of Helpdesk. If exploited, this information exposure vulnerability could disclose sensitive information. QNAP has already fixed the issue in Helpdesk 3.0.3 and later.
Severity CVSS v4.0: Pending analysis
Last modification:
16/09/2020

CVE-2020-16212
Publication date:
11/09/2020
In Patient Information Center iX (PICiX) Versions B.02, C.02, C.03, the product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource. The application on the surveillance station operates in kiosk mode, which is vulnerable to local breakouts that could allow an attacker with physical access to escape the restricted environment with limited privileges.
Severity CVSS v4.0: Pending analysis
Last modification:
12/12/2023
Subscribe to Vulnerabilities