Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-39925

Publication date:

13/09/2024

An issue was discovered in Vaultwarden (formerly Bitwarden_RS) 1.30.3. It lacks an offboarding process for members who leave an organization. As a result, the shared organization key is not rotated when a member departs. Consequently, the departing member, whose access should be revoked, retains a copy of the organization key. Additionally, the application fails to adequately protect some encrypted data stored on the server. Consequently, an authenticated user could gain unauthorized access to encrypted data of any organization, even if the user is not a member of the targeted organization. However, the user would need to know the corresponding organizationId. Hence, if a user (whose access to an organization has been revoked) already possesses the organization key, that user could use the key to decrypt the leaked data.

Severity CVSS v4.0: Pending analysis

Last modification:

10/07/2025

CVE-2024-6087

Publication date:

13/09/2024

An improper access control vulnerability exists in lunary-ai/lunary at the latest commit (a761d83) on the main branch. The vulnerability allows an attacker to use the auth tokens issued by the &#39;invite user&#39; functionality to obtain valid JWT tokens. These tokens can be used to compromise target users upon registration for their own arbitrary organizations. The attacker can invite a target email, obtain a one-time use token, retract the invite, and later use the token to reset the password of the target user, leading to full account takeover.

Severity CVSS v4.0: Pending analysis

Last modification:

15/10/2025

CVE-2024-6582

Publication date:

13/09/2024

A broken access control vulnerability exists in the latest version of lunary-ai/lunary. The `saml.ts` file allows a user from one organization to update the Identity Provider (IDP) settings and view the SSO metadata of another organization. This vulnerability can lead to unauthorized access and potential account takeover if the email of a user in the target organization is known.

Severity CVSS v4.0: Pending analysis

Last modification:

03/11/2024

CVE-2024-6862

Publication date:

13/09/2024

A Cross-Site Request Forgery (CSRF) vulnerability exists in lunary-ai/lunary version 1.2.34 due to overly permissive CORS settings. This vulnerability allows an attacker to sign up for and create projects or use the instance as if they were a user with local access. The main attack vector is for instances hosted locally on personal machines, which are not publicly accessible. The CORS settings in the backend permit all origins, exposing unauthenticated endpoints to CSRF attacks.

Severity CVSS v4.0: Pending analysis

Last modification:

19/09/2024

CVE-2024-6867

Publication date:

13/09/2024

An information disclosure vulnerability exists in the lunary-ai/lunary, specifically in the `runs/{run_id}/related` endpoint. This endpoint does not verify that the user has the necessary access rights to the run(s) they are accessing. As a result, it returns not only the specified run but also all runs that have the `run_id` listed as their parent run. This issue affects the main branch, commit a761d833. The vulnerability allows unauthorized users to obtain information about non-public runs and their related runs, given the `run_id` of a public or non-public run.

Severity CVSS v4.0: Pending analysis

Last modification:

19/09/2024

CVE-2024-31416

Publication date:

13/09/2024

The Eaton Foreseer software provides multiple customizable input fields for the users to configure parameters in the tool like alarms, reports, etc. Some of these input fields were not checking the length and bounds of the entered value. The exploit of this security flaw by a bad actor may result in excessive memory consumption or integer overflow.

Severity CVSS v4.0: Pending analysis

Last modification:

26/08/2025

CVE-2024-43099

Publication date:

13/09/2024

The session hijacking attack targets the application layer&#39;s control mechanism, which manages authenticated sessions between a host PC and a PLC. During such sessions, a session key is utilized to maintain security. However, if an attacker captures this session key, they can inject traffic into an ongoing authenticated session. To successfully achieve this, the attacker also needs to spoof both the IP address and MAC address of the originating host which is typical of a session-based attack.

Severity CVSS v4.0: HIGH

Last modification:

14/09/2024

CVE-2024-45368

Publication date:

13/09/2024

The H2-DM1E PLC&#39;s authentication protocol appears to utilize either a custom encoding scheme or a challenge-response protocol. However, there&#39;s an observed anomaly in the H2-DM1E PLC&#39;s protocol execution, namely its acceptance of multiple distinct packets as valid authentication responses. This behavior deviates from standard security practices where a single, specific response or encoding pattern is expected for successful authentication.

Severity CVSS v4.0: Pending analysis

Last modification:

14/09/2024

CVE-2024-31414

Publication date:

13/09/2024

The Eaton Foreseer software provides users the capability to customize the dashboard in WebView pages. However, the input fields for this feature in the Eaton Foreseer software lacked proper input sanitization on the server-side, which could lead to injection and execution of malicious scripts when abused by bad actors.

Severity CVSS v4.0: Pending analysis

Last modification:

19/09/2024

CVE-2024-31415

Publication date:

13/09/2024

The Eaton Foreseer software provides the feasibility for the user to configure external servers for multiple purposes such as network management, user management, etc. The software uses encryption to store these configurations securely on the host machine. However, the keys used for this encryption were insecurely stored, which could be abused to possibly change or remove the server configuration.

Severity CVSS v4.0: Pending analysis

Last modification:

26/08/2025

CVE-2024-44798

Publication date:

13/09/2024

phpgurukul Bus Pass Management System 1.0 is vulnerable to Cross-site scripting (XSS) in /admin/pass-bwdates-reports-details.php via fromdate and todate parameters.

Severity CVSS v4.0: Pending analysis

Last modification:

16/09/2024

CVE-2024-44685

Publication date:

13/09/2024

Titan SFTP and Titan MFT Server 2.0.25.2426 and earlier have a vulnerability a vulnerability where sensitive information, including passwords, is exposed in clear text within the JSON response when configuring SMTP settings via the Web UI.

Severity CVSS v4.0: Pending analysis

Last modification:

13/09/2024

Subscribe to Vulnerabilities