Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-56199
Publication date:
02/01/2025
phpMyFAQ is an open source FAQ web application. Starting no later than version 3.2.10 and prior to version 4.0.2, an attacker can inject malicious HTML content into the FAQ editor at `http[:]//localhost/admin/index[.]php?action=editentry`, resulting in a complete disruption of the FAQ page's user interface. By injecting malformed HTML elements styled to cover the entire screen, an attacker can render the page unusable. This injection manipulates the page structure by introducing overlapping buttons, images, and iframes, breaking the intended layout and functionality. Exploiting this issue can lead to Denial of Service for legitimate users, damage to the user experience, and potential abuse in phishing or defacement attacks. Version 4.0.2 contains a patch for the vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
14/08/2025

CVE-2024-11716
Publication date:
02/01/2025
While assignment of a user to a team (bracket) in CTFd should be possible only once, at the registration, a flaw in logic implementation allows an authenticated user to reset it&amp;#39;s bracket and then pick a new one, joining another team while a competition is already ongoing.<br /> This issue impacts releases from 3.7.0 up to 3.7.4 and was addressed by pull request 2636 https://github.com/CTFd/CTFd/pull/2636  included in 3.7.5 release.
Severity CVSS v4.0: MEDIUM
Last modification:
15/04/2026

CVE-2024-11717
Publication date:
02/01/2025
Tokens in CTFd used for account activation and password resetting can be used interchangeably for these operations. When used, they are sent to the server as a GET parameter and they are not single use, which means, that during token expiration time an on-path attacker might reuse such a token to change user&amp;#39;s password and take over the account. Moreover, the tokens also include base64 encoded user email.<br /> <br /> This issue impacts releases up to 3.7.4 and was addressed by pull request 2679 https://github.com/CTFd/CTFd/pull/2679  included in 3.7.5 release.
Severity CVSS v4.0: MEDIUM
Last modification:
15/04/2026

CVE-2025-0172
Publication date:
02/01/2025
A vulnerability has been found in code-projects Chat System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/deleteroom.php. The manipulation of the argument id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
03/04/2025

CVE-2024-55543
Publication date:
02/01/2025
Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis Cyber Protect 16 (Windows) before build 39169.
Severity CVSS v4.0: Pending analysis
Last modification:
02/01/2025

CVE-2024-9950
Publication date:
02/01/2025
A vulnerability in Forescout SecureConnector v11.3.07.0109 on Windows allows <br /> <br /> unauthenticated user to modify compliance scripts due to insecure temporary directory.
Severity CVSS v4.0: HIGH
Last modification:
17/10/2025

CVE-2024-55542
Publication date:
02/01/2025
Local privilege escalation due to excessive permissions assigned to Tray Monitor service. The following products are affected: Acronis Cyber Protect 16 (Linux, macOS, Windows) before build 39169, Acronis Cyber Protect Cloud Agent (Linux, macOS, Windows) before build 35895.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2024-56413
Publication date:
02/01/2025
Missing session invalidation after user deletion. The following products are affected: Acronis Cyber Protect 16 (Windows) before build 39169.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2024-56414
Publication date:
02/01/2025
Web installer integrity check used weak hash algorithm. The following products are affected: Acronis Cyber Protect 16 (Windows) before build 39169.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2023-23672
Publication date:
02/01/2025
Missing Authorization vulnerability in Liquid Web / StellarWP GiveWP.This issue affects GiveWP: from n/a through 2.25.1.
Severity CVSS v4.0: Pending analysis
Last modification:
25/02/2025

CVE-2024-55540
Publication date:
02/01/2025
Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis Cyber Protect 16 (Windows) before build 39169.
Severity CVSS v4.0: Pending analysis
Last modification:
02/01/2025

CVE-2024-55541
Publication date:
02/01/2025
Stored cross-site scripting (XSS) vulnerability due to missing origin validation in postMessage. The following products are affected: Acronis Cyber Protect 16 (Linux, Windows) before build 39169.
Severity CVSS v4.0: Pending analysis
Last modification:
02/01/2025
Subscribe to Vulnerabilities