Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-43863
Publication date:
21/08/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/vmwgfx: Fix a deadlock in dma buf fence polling<br /> <br /> Introduce a version of the fence ops that on release doesn&amp;#39;t remove<br /> the fence from the pending list, and thus doesn&amp;#39;t require a lock to<br /> fix poll-&gt;fence wait-&gt;fence unref deadlocks.<br /> <br /> vmwgfx overwrites the wait callback to iterate over the list of all<br /> fences and update their status, to do that it holds a lock to prevent<br /> the list modifcations from other threads. The fence destroy callback<br /> both deletes the fence and removes it from the list of pending<br /> fences, for which it holds a lock.<br /> <br /> dma buf polling cb unrefs a fence after it&amp;#39;s been signaled: so the poll<br /> calls the wait, which signals the fences, which are being destroyed.<br /> The destruction tries to acquire the lock on the pending fences list<br /> which it can never get because it&amp;#39;s held by the wait from which it<br /> was called.<br /> <br /> Old bug, but not a lot of userspace apps were using dma-buf polling<br /> interfaces. Fix those, in particular this fixes KDE stalls/deadlock.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2024-22281
Publication date:
20/08/2024
** UNSUPPORTED WHEN ASSIGNED ** The Apache Helix Front (UI) component contained a hard-coded secret, allowing an attacker to spoof sessions by generating their own fake cookies.<br /> <br /> This issue affects Apache Helix Front (UI): all versions.<br /> <br /> As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.<br /> <br /> NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Severity CVSS v4.0: Pending analysis
Last modification:
10/07/2025

CVE-2024-43403
Publication date:
20/08/2024
Kanister is a data protection workflow management tool. The kanister has a deployment called default-kanister-operator, which is bound with a ClusterRole called edit via ClusterRoleBinding. The "edit" ClusterRole is one of Kubernetes default-created ClusterRole, and it has the create/patch/udpate verbs of daemonset resources, create verb of serviceaccount/token resources, and impersonate verb of serviceaccounts resources. A malicious user can leverage access the worker node which has this component to make a cluster-level privilege escalation.
Severity CVSS v4.0: Pending analysis
Last modification:
21/08/2024

CVE-2024-43861
Publication date:
20/08/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: usb: qmi_wwan: fix memory leak for not ip packets<br /> <br /> Free the unused skb when not ip packets arrive.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2024-42361
Publication date:
20/08/2024
Hertzbeat is an open source, real-time monitoring system. Hertzbeat 1.6.0 and earlier declares a /api/monitor/{monitorId}/metric/{metricFull} endpoint to download job metrics. In the process, it executes a SQL query with user-controlled data, allowing for SQL injection.
Severity CVSS v4.0: Pending analysis
Last modification:
28/08/2024

CVE-2024-42362
Publication date:
20/08/2024
Hertzbeat is an open source, real-time monitoring system. Hertzbeat has an authenticated (user role) RCE via unsafe deserialization in /api/monitors/import. This vulnerability is fixed in 1.6.0.
Severity CVSS v4.0: Pending analysis
Last modification:
28/08/2024

CVE-2024-42363
Publication date:
20/08/2024
Prior to 3385, the user-controlled role parameter enters the application in the Kubernetes::RoleVerificationsController. The role parameter flows into the RoleConfigFile initializer and then into the Kubernetes::Util.parse_file method where it is unsafely deserialized using the YAML.load_stream method. This issue may lead to Remote Code Execution (RCE). This vulnerability is fixed in 3385.
Severity CVSS v4.0: Pending analysis
Last modification:
21/08/2024

CVE-2024-43396
Publication date:
20/08/2024
Khoj is an application that creates personal AI agents. The Automation feature allows a user to insert arbitrary HTML inside the task instructions, resulting in a Stored XSS. The q parameter for the /api/automation endpoint does not get correctly sanitized when rendered on the page, resulting in the ability of users to inject arbitrary HTML/JS. This vulnerability is fixed in 1.15.0.
Severity CVSS v4.0: Pending analysis
Last modification:
03/09/2024

CVE-2024-41657
Publication date:
20/08/2024
Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. In Casdoor 1.577.0 and earlier, a logic vulnerability exists in the beego filter CorsFilter that allows any website to make cross domain requests to Casdoor as the logged in user. Due to the a logic error in checking only for a prefix when authenticating the Origin header, any domain can create a valid subdomain with a valid subdomain prefix (Ex: localhost.example.com), allowing the website to make requests to Casdoor as the current signed-in user.
Severity CVSS v4.0: Pending analysis
Last modification:
28/08/2024

CVE-2024-41658
Publication date:
20/08/2024
Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. In Casdoor 1.577.0 and earlier, he purchase URL that is created to generate a WechatPay QR code is vulnerable to reflected XSS. When purchasing an item through casdoor, the product page allows you to pay via wechat pay. When using wechat pay, a QR code with the wechat pay link is displayed on the payment page, hosted on the domain of casdoor. This page takes a query parameter from the url successUrl, and redirects the user to that url after a successful purchase. Because the user has no reason to think that the payment page contains sensitive information, they may share it with other or can be social engineered into sending it to others. An attacker can then craft the casdoor link with a special url and send it back to the user, and once payment has gone though an XSS attack occurs.
Severity CVSS v4.0: Pending analysis
Last modification:
28/08/2024

CVE-2024-7711
Publication date:
20/08/2024
An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server, allowing an attacker to update the title, assignees, and labels of any issue inside a public repository. This was only exploitable inside a public repository. This vulnerability affected GitHub Enterprise Server versions before 3.14 and was fixed in versions 3.13.3, 3.12.8, and 3.11.14. Versions 3.10 of GitHub Enterprise Server are not affected. This vulnerability was reported via the GitHub Bug Bounty program.
Severity CVSS v4.0: Pending analysis
Last modification:
27/09/2024

CVE-2024-6337
Publication date:
20/08/2024
An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed a GitHub App with only content: read and pull_request_write: write permissions to read issue content inside a private repository. This was only exploitable via user access token and installation access token was not impacted. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.13.3, 3.12.8, 3.11.14 and 3.10.16. This vulnerability was reported via the GitHub Bug Bounty program.
Severity CVSS v4.0: Pending analysis
Last modification:
27/09/2024
Subscribe to Vulnerabilities