Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-12782
Publication date:
19/12/2024
A vulnerability has been found in Fujifilm Business Innovation Apeos C3070, Apeos C5570 and Apeos C6580 up to 24.8.28 and classified as critical. This vulnerability affects unknown code of the file /home/index.html#hashHome of the component Web Interface. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The vendor explains that "during technical verification it is not possible to reproduce any active actions like reboots which were mentioned in the original researcher disclosure."
Severity CVSS v4.0: MEDIUM
Last modification:
15/04/2026

CVE-2024-45818
Publication date:
19/12/2024
The hypervisor contains code to accelerate VGA memory accesses for HVM<br /> guests, when the (virtual) VGA is in "standard" mode. Locking involved<br /> there has an unusual discipline, leaving a lock acquired past the<br /> return from the function that acquired it. This behavior results in a<br /> problem when emulating an instruction with two memory accesses, both of<br /> which touch VGA memory (plus some further constraints which aren&amp;#39;t<br /> relevant here). When emulating the 2nd access, the lock that is already<br /> being held would be attempted to be re-acquired, resulting in a<br /> deadlock.<br /> <br /> This deadlock was already found when the code was first introduced, but<br /> was analysed incorrectly and the fix was incomplete. Analysis in light<br /> of the new finding cannot find a way to make the existing locking<br /> discipline work.<br /> <br /> In staging, this logic has all been removed because it was discovered<br /> to be accidentally disabled since Xen 4.7. Therefore, we are fixing the<br /> locking problem by backporting the removal of most of the feature. Note<br /> that even with the feature disabled, the lock would still be acquired<br /> for any accesses to the VGA MMIO region.
Severity CVSS v4.0: Pending analysis
Last modification:
20/05/2025

CVE-2024-45819
Publication date:
19/12/2024
PVH guests have their ACPI tables constructed by the toolstack. The<br /> construction involves building the tables in local memory, which are<br /> then copied into guest memory. While actually used parts of the local<br /> memory are filled in correctly, excess space that is being allocated is<br /> left with its prior contents.
Severity CVSS v4.0: Pending analysis
Last modification:
14/01/2026

CVE-2024-12626
Publication date:
19/12/2024
The AutomatorWP – Automator plugin for no-code automations, webhooks &amp; custom integrations in WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘a-0-o-search_field_value’ parameter in all versions up to, and including, 5.0.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. When used in conjunction with the plugin&amp;#39;s import and code action feature, this vulnerability can be leveraged to execute arbitrary code.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2024-37962
Publication date:
19/12/2024
Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in Agency Dominion Inc. Fusion fusion.This issue affects Fusion: from n/a through
Severity CVSS v4.0: Pending analysis
Last modification:
23/04/2026

CVE-2024-12331
Publication date:
19/12/2024
The File Manager Pro – Filester plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the &amp;#39;ajax_install_plugin&amp;#39; function in all versions up to, and including, 1.8.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install the Filebird plugin.
Severity CVSS v4.0: Pending analysis
Last modification:
05/03/2025

CVE-2021-26115
Publication date:
19/12/2024
An OS command injection (CWE-78) vulnerability in FortiWAN version 4.5.7 and below Command Line Interface may allow a local, authenticated and unprivileged attacker to escalate their privileges to root via executing a specially-crafted command.An OS command injection (CWE-78) vulnerability in FortiWAN Command Line Interface may allow a local, authenticated and unprivileged attacker to escalate their privileges to root via executing a specially-crafted command.
Severity CVSS v4.0: Pending analysis
Last modification:
21/01/2025

CVE-2020-15934
Publication date:
19/12/2024
An execution with unnecessary privileges vulnerability in the VCM engine of FortiClient for Linux versions 6.2.7 and below, version 6.4.0. may allow local users to elevate their privileges to root by creating a malicious script or program on the target machine.
Severity CVSS v4.0: Pending analysis
Last modification:
21/01/2025

CVE-2020-12820
Publication date:
19/12/2024
Under non-default configuration, a stack-based buffer overflow in FortiOS version 6.0.10 and below, version 5.6.12 and below may allow a remote attacker authenticated to the SSL VPN to crash the FortiClient NAC daemon (fcnacd) and potentially execute arbitrary code via requesting a large FortiClient file name. We are not aware of proof of concept code successfully achieving the latter.
Severity CVSS v4.0: Pending analysis
Last modification:
21/01/2025

CVE-2023-4617
Publication date:
19/12/2024
Incorrect authorization vulnerability in HTTP POST method in Govee Home application on Android and iOS allows remote attacker to control devices owned by other users via changing "device", "sku" and "type" fields&amp;#39; values. <br /> This issue affects Govee Home applications on Android and iOS in versions before 5.9.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2024-11616
Publication date:
19/12/2024
Netskope was made aware of a security vulnerability in Netskope Endpoint DLP’s Content Control Driver where a double-fetch issue leads to heap overflow. The vulnerability arises from the fact that the NumberOfBytes argument to ExAllocatePoolWithTag, and the Length argument for RtlCopyMemory, both independently dereference their value from the user supplied input buffer inside the EpdlpSetUsbAction function, known as a double-fetch. If this length value grows to a higher value in between these two calls, it will result in the RtlCopyMemory call copying user-supplied memory contents outside the range of the allocated buffer, resulting in a heap overflow. A malicious attacker will need admin privileges to exploit the issue.<br /> This issue affects Endpoint DLP version below R119.
Severity CVSS v4.0: MEDIUM
Last modification:
15/04/2026

CVE-2024-12569
Publication date:
19/12/2024
Disclosure<br /> of sensitive information in a Milestone XProtect Device Pack driver’s log file for third-party cameras, allows an attacker to read camera<br /> credentials stored in the Recording Server under specific conditions.
Severity CVSS v4.0: MEDIUM
Last modification:
15/04/2026
Subscribe to Vulnerabilities