Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-47093
Publication date:
19/12/2024
Improper neutralization of input in Nagvis before version 1.9.42 which can lead to XSS
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2024-12786
Publication date:
19/12/2024
A vulnerability, which was classified as critical, was found in X1a0He Adobe Downloader up to 1.3.1 on macOS. Affected is the function shouldAcceptNewConnection of the file com.x1a0he.macOS.Adobe-Downloader.helper of the component XPC Service. The manipulation leads to improper privilege management. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. This product is not affiliated with the company Adobe.
Severity CVSS v4.0: HIGH
Last modification:
19/12/2024

CVE-2024-12785
Publication date:
19/12/2024
A vulnerability was found in itsourcecode Vehicle Management System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file sendmail.php. The manipulation of the argument id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
07/02/2025

CVE-2024-9101
Publication date:
19/12/2024
A reflected cross-site scripting (XSS) vulnerability in the 'Entry Chooser' of phpLDAPadmin (version 1.2.1 through the latest version, 1.2.6.7) allows attackers to execute arbitrary JavaScript in the user's browser via the 'element' parameter, which is unsafely passed to the JavaScript 'eval' function. However, exploitation is limited to specific conditions where 'opener' is correctly set.
Severity CVSS v4.0: LOW
Last modification:
19/12/2024

CVE-2024-9102
Publication date:
19/12/2024
phpLDAPadmin since at least version 1.2.0 through the latest version 1.2.6.7 allows users to export elements from the LDAP directory into a Comma-Separated Value (CSV) file, but it does not neutralize special elements that could be interpreted as a command when the file is opened by a spreadsheet product. Thus, this could lead to CSV Formula Injection. NOTE: This vulnerability will not be addressed, the maintainer's position is that it is not the intention of phpLDAPadmin to control what data Administrators can put in their LDAP database, nor filter it on export.
Severity CVSS v4.0: MEDIUM
Last modification:
16/04/2025

CVE-2021-26102
Publication date:
19/12/2024
A relative path traversal vulnerability (CWE-23) in FortiWAN version 4.5.7 and below, 4.4 all versions may allow a remote non-authenticated attacker to delete files on the system by sending a crafted POST request. In particular, deleting specific configuration files will reset the Admin password to its default value.
Severity CVSS v4.0: Pending analysis
Last modification:
21/01/2025

CVE-2024-10244
Publication date:
19/12/2024
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ISDO Software Web Software allows SQL Injection.This issue affects Web Software: before 3.6.
Severity CVSS v4.0: Pending analysis
Last modification:
19/12/2024

CVE-2024-12784
Publication date:
19/12/2024
A vulnerability was found in itsourcecode Vehicle Management System 1.0. It has been classified as critical. Affected is an unknown function of the file editbill.php. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
22/12/2025

CVE-2024-12783
Publication date:
19/12/2024
A vulnerability was found in itsourcecode Vehicle Management System 1.0 and classified as problematic. This issue affects some unknown processing of the file /billaction.php. The manipulation of the argument extra-cost leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
10/01/2025

CVE-2021-32589
Publication date:
19/12/2024
A Use After Free (CWE-416) vulnerability in FortiManager version 7.0.0, version 6.4.5 and below, version 6.2.7 and below, version 6.0.10 and below, version 5.6.10 and below, version 5.4.7 and below, version 5.2.10 and below, version 5.0.12 and below and FortiAnalyzer version 7.0.0, version 6.4.5 and below, version 6.2.7 and below, version 6.0.10 and below, version 5.6.10 and below, version 5.4.7 and below, version 5.3.11, version 5.2.10 to 5.2.4 fgfmsd daemon may allow a remote, non-authenticated attacker to execute unauthorized code as root via sending a specifically crafted request to the fgfm port of the targeted device.
Severity CVSS v4.0: Pending analysis
Last modification:
31/01/2025

CVE-2024-12782
Publication date:
19/12/2024
A vulnerability has been found in Fujifilm Business Innovation Apeos C3070, Apeos C5570 and Apeos C6580 up to 24.8.28 and classified as critical. This vulnerability affects unknown code of the file /home/index.html#hashHome of the component Web Interface. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The vendor explains that "during technical verification it is not possible to reproduce any active actions like reboots which were mentioned in the original researcher disclosure."
Severity CVSS v4.0: MEDIUM
Last modification:
28/02/2025

CVE-2024-45818
Publication date:
19/12/2024
The hypervisor contains code to accelerate VGA memory accesses for HVM<br /> guests, when the (virtual) VGA is in "standard" mode. Locking involved<br /> there has an unusual discipline, leaving a lock acquired past the<br /> return from the function that acquired it. This behavior results in a<br /> problem when emulating an instruction with two memory accesses, both of<br /> which touch VGA memory (plus some further constraints which aren&amp;#39;t<br /> relevant here). When emulating the 2nd access, the lock that is already<br /> being held would be attempted to be re-acquired, resulting in a<br /> deadlock.<br /> <br /> This deadlock was already found when the code was first introduced, but<br /> was analysed incorrectly and the fix was incomplete. Analysis in light<br /> of the new finding cannot find a way to make the existing locking<br /> discipline work.<br /> <br /> In staging, this logic has all been removed because it was discovered<br /> to be accidentally disabled since Xen 4.7. Therefore, we are fixing the<br /> locking problem by backporting the removal of most of the feature. Note<br /> that even with the feature disabled, the lock would still be acquired<br /> for any accesses to the VGA MMIO region.
Severity CVSS v4.0: Pending analysis
Last modification:
20/05/2025
Subscribe to Vulnerabilities