Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-9977
Publication date:
15/10/2024
A vulnerability, which was classified as critical, was found in MitraStar GPT-2541GNAC BR_g5.6_1.11(WVK.0)b26. Affected is an unknown function of the file /cgi-bin/settings-firewall.cgi of the component Firewall Settings Page. The manipulation of the argument SrcInterface leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. We tried to contact the vendor early about the disclosure but the official mail address was not working properly.
Severity CVSS v4.0: MEDIUM
Last modification:
16/10/2024

CVE-2024-9986
Publication date:
15/10/2024
A vulnerability was found in code-projects Blood Bank Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file member_register.php. The manipulation of the argument fullname/username/password/email leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The initial researcher advisory only mentions the parameter "password" to be affected. But it must be assumed that other parameters are affected as well.
Severity CVSS v4.0: MEDIUM
Last modification:
23/10/2025

CVE-2024-49388
Publication date:
15/10/2024
Sensitive information manipulation due to improper authorization. The following products are affected: Acronis Cyber Protect 16 (Linux, Windows) before build 38690.
Severity CVSS v4.0: Pending analysis
Last modification:
04/02/2025

CVE-2024-9975
Publication date:
15/10/2024
A vulnerability was found in SourceCodester Drag and Drop Image Upload 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /upload.php. The manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
16/10/2024

CVE-2024-9976
Publication date:
15/10/2024
A vulnerability classified as critical has been found in code-projects Pharmacy Management System 1.0. This affects an unknown part of the file /php/manage_customer.php?action=search. The manipulation of the argument text leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
16/10/2024

CVE-2024-49382
Publication date:
15/10/2024
Excessive attack surface in archive-server service due to binding to an unrestricted IP address. The following products are affected: Acronis Cyber Protect 16 (Linux, Windows) before build 38690.
Severity CVSS v4.0: Pending analysis
Last modification:
04/02/2025

CVE-2024-49383
Publication date:
15/10/2024
Excessive attack surface in acep-importer service due to binding to an unrestricted IP address. The following products are affected: Acronis Cyber Protect 16 (Linux, Windows) before build 38690.
Severity CVSS v4.0: Pending analysis
Last modification:
04/02/2025

CVE-2024-49384
Publication date:
15/10/2024
Excessive attack surface in acep-collector service due to binding to an unrestricted IP address. The following products are affected: Acronis Cyber Protect 16 (Linux, Windows) before build 38690.
Severity CVSS v4.0: Pending analysis
Last modification:
04/02/2025

CVE-2024-49387
Publication date:
15/10/2024
Cleartext transmission of sensitive information in acep-collector service. The following products are affected: Acronis Cyber Protect 16 (Linux, Windows) before build 38690.
Severity CVSS v4.0: Pending analysis
Last modification:
04/02/2025

CVE-2024-47674
Publication date:
15/10/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm: avoid leaving partial pfn mappings around in error case<br /> <br /> As Jann points out, PFN mappings are special, because unlike normal<br /> memory mappings, there is no lifetime information associated with the<br /> mapping - it is just a raw mapping of PFNs with no reference counting of<br /> a &amp;#39;struct page&amp;#39;.<br /> <br /> That&amp;#39;s all very much intentional, but it does mean that it&amp;#39;s easy to<br /> mess up the cleanup in case of errors. Yes, a failed mmap() will always<br /> eventually clean up any partial mappings, but without any explicit<br /> lifetime in the page table mapping itself, it&amp;#39;s very easy to do the<br /> error handling in the wrong order.<br /> <br /> In particular, it&amp;#39;s easy to mistakenly free the physical backing store<br /> before the page tables are actually cleaned up and (temporarily) have<br /> stale dangling PTE entries.<br /> <br /> To make this situation less error-prone, just make sure that any partial<br /> pfn mapping is torn down early, before any other error handling.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2024-45275
Publication date:
15/10/2024
The devices contain two hard coded user accounts with hardcoded passwords that allow an unauthenticated remote attacker for full control of the affected devices.
Severity CVSS v4.0: Pending analysis
Last modification:
21/11/2024

CVE-2024-45276
Publication date:
15/10/2024
An unauthenticated remote attacker can get read access to files in the "/tmp" directory due to missing authentication.
Severity CVSS v4.0: Pending analysis
Last modification:
24/01/2025
Subscribe to Vulnerabilities