Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-41668
Publication date:
23/07/2024
The cBioPortal for Cancer Genomics provides visualization, analysis, and download of large-scale cancer genomics data sets. When running a publicly exposed proxy endpoint without authentication, cBioPortal could allow someone to perform a Server Side Request Forgery (SSRF) attack. Logged in users could do the same on private instances. A fix has been released in version 6.0.12. As a workaround, one might be able to disable `/proxy` endpoint entirely via, for example, nginx.
Severity CVSS v4.0: Pending analysis
Last modification:
24/07/2024

CVE-2024-41661
Publication date:
23/07/2024
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2023-50094. Reason: This candidate is a duplicate of CVE-2023-50094. Notes: All CVE users should reference CVE-2023-50094 instead of this candidate.
Severity CVSS v4.0: Pending analysis
Last modification:
29/08/2024

CVE-2024-41665
Publication date:
23/07/2024
Ampache, a web based audio/video streaming application and file manager, has a stored cross-site scripting (XSS) vulnerability in versions prior to 6.6.0. This vulnerability exists in the "Playlists - Democratic - Configure Democratic Playlist" feature. An attacker with Content Manager permissions can set the Name field to ``. When any administrator or user accesses the Democratic functionality, they will be affected by this stored XSS vulnerability. The attacker can exploit this vulnerability to obtain the cookies of any user or administrator who accesses the `democratic.php` file. Version 6.6.0 contains a patch for the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
03/02/2025

CVE-2020-11640
Publication date:
23/07/2024
AdvaBuild uses a command queue to launch certain operations. An attacker who gains access to the<br /> command queue can use it to launch an attack by running any executable on the AdvaBuild node. The<br /> executables that can be run are not limited to AdvaBuild specific executables. <br /> <br /> Improper Privilege Management vulnerability in ABB Advant MOD 300 AdvaBuild.This issue affects Advant MOD 300 AdvaBuild: from 3.0 through 3.7 SP2.
Severity CVSS v4.0: Pending analysis
Last modification:
19/12/2025

CVE-2020-11639
Publication date:
23/07/2024
An attacker could exploit the vulnerability by<br /> injecting garbage data or specially crafted data. Depending on the data injected each process might be<br /> affected differently. The process could crash or cause communication issues on the affected node, effectively causing a denial-of-service attack. The attacker could tamper with the data transmitted, causing<br /> the product to store wrong information or act on wrong data or display wrong information.<br /> <br /> <br /> This issue affects Advant MOD 300 AdvaBuild: from 3.0 through 3.7 SP2.<br /> <br /> <br /> <br /> <br /> For an attack to be successful, the attacker must have local access to a node in the system and be able to<br /> start a specially crafted application that disrupts the communication.<br /> An attacker who successfully exploited the vulnerability would be able to manipulate the data in such<br /> way as allowing reads and writes to the controllers or cause Windows processes in 800xA for MOD 300<br /> and AdvaBuild to crash.
Severity CVSS v4.0: Pending analysis
Last modification:
19/12/2025

CVE-2024-41664
Publication date:
23/07/2024
Canarytokens help track activity and actions on a network. Prior to `sha-8ea5315`, Canarytokens.org was vulnerable to a blind SSRF in the Webhook alert feature. When a Canarytoken is created, users choose to receive alerts either via email or via a webhook. If a webhook is supplied when a Canarytoken is first created, the site will make a test request to the supplied URL to ensure it accepts alert notification HTTP requests. No safety checks were performed on the URL, leading to a Server-Side Request Forgery vulnerability. The SSRF is Blind because the content of the response is not displayed to the creating user; they are simply told whether an error occurred in making the test request. Using the Blind SSRF, it was possible to map out open ports for IPs inside the Canarytokens.org infrastructure. This issue is now patched on Canarytokens.org. Users of self-hosted Canarytokens installations can update by pulling the latest Docker image, or any Docker image after `sha-097d91a`.
Severity CVSS v4.0: Pending analysis
Last modification:
24/07/2024

CVE-2024-41178
Publication date:
23/07/2024
Exposure of temporary credentials in logs in Apache Arrow Rust Object Store (`object_store` crate), version 0.10.1 and earlier on all platforms using AWS WebIdentityTokens. <br /> <br /> On certain error conditions, the logs may contain the OIDC token passed to AssumeRoleWithWebIdentity https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html . This allows someone with access to the logs to impersonate that identity, including performing their own calls to AssumeRoleWithWebIdentity, until the OIDC token expires. Typically OIDC tokens are valid for up to an hour, although this will vary depending on the issuer.<br /> <br /> Users are recommended to use a different AWS authentication mechanism, disable logging or upgrade to version 0.10.2, which fixes this issue.<br /> <br /> Details:<br /> <br /> When using AWS WebIdentityTokens with the object_store crate, in the event of a failure and automatic retry, the underlying reqwest error, including the full URL with the credentials, potentially in the parameters, is written to the logs. <br /> <br /> Thanks to Paul Hatcherian for reporting this vulnerability
Severity CVSS v4.0: Pending analysis
Last modification:
10/07/2025

CVE-2024-41663
Publication date:
23/07/2024
Canarytokens help track activity and actions on a network. A Cross-Site Scripting vulnerability was identified in the "Cloned Website" Canarytoken, whereby the Canarytoken&amp;#39;s creator can attack themselves. The creator of a slow-redirect Canarytoken can insert Javascript into the destination URL of their slow redirect token. When the creator later browses the management page for their own Canarytoken, the Javascript executes. This is a self-XSS. An attacker could create a Canarytoken with this self-XSS, and send the management link to a victim. When they click on it, the Javascript would execute. However, no sensitive information (ex. session information) will be disclosed to the malicious actor. This issue is now patched on Canarytokens.org. Users of self-hosted Canarytokens installations can update by pulling the latest Docker image, or any Docker image after `sha-097d91a`.
Severity CVSS v4.0: Pending analysis
Last modification:
24/07/2024

CVE-2024-6714
Publication date:
23/07/2024
An issue was discovered in provd before version 0.1.5 with a setuid binary, which allows a local attacker to escalate their privilege.
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2025

CVE-2024-39702
Publication date:
23/07/2024
In lj_str_hash.c in OpenResty 1.19.3.1 through 1.25.3.1, the string hashing function (used during string interning) allows HashDoS (Hash Denial of Service) attacks. An attacker could cause excessive resource usage during proxy operations via crafted requests, potentially leading to a denial of service with relatively few incoming requests. This vulnerability only exists in the OpenResty fork in the openresty/luajit2 GitHub repository. The LuaJIT/LuaJIT repository. is unaffected.
Severity CVSS v4.0: Pending analysis
Last modification:
24/09/2025

CVE-2024-6783
Publication date:
23/07/2024
A vulnerability has been discovered in Vue, that allows an attacker to perform XSS via prototype pollution. The attacker could change the prototype chain of some properties such as `Object.prototype.staticClass` or `Object.prototype.staticStyle` to execute arbitrary JavaScript code.
Severity CVSS v4.0: Pending analysis
Last modification:
30/08/2024

CVE-2024-41319
Publication date:
23/07/2024
TOTOLINK A6000R V1.0.1-B20201211.2000 was discovered to contain a command injection vulnerability via the cmd parameter in the webcmd function.
Severity CVSS v4.0: Pending analysis
Last modification:
01/08/2024
Subscribe to Vulnerabilities