Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-43862
Publication date:
21/08/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: wan: fsl_qmc_hdlc: Convert carrier_lock spinlock to a mutex<br /> <br /> The carrier_lock spinlock protects the carrier detection. While it is<br /> held, framer_get_status() is called which in turn takes a mutex.<br /> This is not correct and can lead to a deadlock.<br /> <br /> A run with PROVE_LOCKING enabled detected the issue:<br /> [ BUG: Invalid wait context ]<br /> ...<br /> c204ddbc (&amp;framer-&gt;mutex){+.+.}-{3:3}, at: framer_get_status+0x40/0x78<br /> other info that might help us debug this:<br /> context-{4:4}<br /> 2 locks held by ifconfig/146:<br /> #0: c0926a38 (rtnl_mutex){+.+.}-{3:3}, at: devinet_ioctl+0x12c/0x664<br /> #1: c2006a40 (&amp;qmc_hdlc-&gt;carrier_lock){....}-{2:2}, at: qmc_hdlc_framer_set_carrier+0x30/0x98<br /> <br /> Avoid the spinlock usage and convert carrier_lock to a mutex.
Severity CVSS v4.0: Pending analysis
Last modification:
03/09/2024

CVE-2024-43863
Publication date:
21/08/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/vmwgfx: Fix a deadlock in dma buf fence polling<br /> <br /> Introduce a version of the fence ops that on release doesn&amp;#39;t remove<br /> the fence from the pending list, and thus doesn&amp;#39;t require a lock to<br /> fix poll-&gt;fence wait-&gt;fence unref deadlocks.<br /> <br /> vmwgfx overwrites the wait callback to iterate over the list of all<br /> fences and update their status, to do that it holds a lock to prevent<br /> the list modifcations from other threads. The fence destroy callback<br /> both deletes the fence and removes it from the list of pending<br /> fences, for which it holds a lock.<br /> <br /> dma buf polling cb unrefs a fence after it&amp;#39;s been signaled: so the poll<br /> calls the wait, which signals the fences, which are being destroyed.<br /> The destruction tries to acquire the lock on the pending fences list<br /> which it can never get because it&amp;#39;s held by the wait from which it<br /> was called.<br /> <br /> Old bug, but not a lot of userspace apps were using dma-buf polling<br /> interfaces. Fix those, in particular this fixes KDE stalls/deadlock.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2024-43864
Publication date:
21/08/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/mlx5e: Fix CT entry update leaks of modify header context<br /> <br /> The cited commit allocates a new modify header to replace the old<br /> one when updating CT entry. But if failed to allocate a new one, eg.<br /> exceed the max number firmware can support, modify header will be<br /> an error pointer that will trigger a panic when deallocating it. And<br /> the old modify header point is copied to old attr. When the old<br /> attr is freed, the old modify header is lost.<br /> <br /> Fix it by restoring the old attr to attr when failed to allocate a<br /> new modify header context. So when the CT entry is freed, the right<br /> modify header context will be freed. And the panic of accessing<br /> error pointer is also fixed.
Severity CVSS v4.0: Pending analysis
Last modification:
29/09/2025

CVE-2024-43865
Publication date:
21/08/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> s390/fpu: Re-add exception handling in load_fpu_state()<br /> <br /> With the recent rewrite of the fpu code exception handling for the<br /> lfpc instruction within load_fpu_state() was erroneously removed.<br /> <br /> Add it again to prevent that loading invalid floating point register<br /> values cause an unhandled specification exception.
Severity CVSS v4.0: Pending analysis
Last modification:
10/10/2025

CVE-2024-22281
Publication date:
20/08/2024
** UNSUPPORTED WHEN ASSIGNED ** The Apache Helix Front (UI) component contained a hard-coded secret, allowing an attacker to spoof sessions by generating their own fake cookies.<br /> <br /> This issue affects Apache Helix Front (UI): all versions.<br /> <br /> As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.<br /> <br /> NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Severity CVSS v4.0: Pending analysis
Last modification:
10/07/2025

CVE-2024-43403
Publication date:
20/08/2024
Kanister is a data protection workflow management tool. The kanister has a deployment called default-kanister-operator, which is bound with a ClusterRole called edit via ClusterRoleBinding. The "edit" ClusterRole is one of Kubernetes default-created ClusterRole, and it has the create/patch/udpate verbs of daemonset resources, create verb of serviceaccount/token resources, and impersonate verb of serviceaccounts resources. A malicious user can leverage access the worker node which has this component to make a cluster-level privilege escalation.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2024-43861
Publication date:
20/08/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: usb: qmi_wwan: fix memory leak for not ip packets<br /> <br /> Free the unused skb when not ip packets arrive.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2024-42361
Publication date:
20/08/2024
Hertzbeat is an open source, real-time monitoring system. Hertzbeat 1.6.0 and earlier declares a /api/monitor/{monitorId}/metric/{metricFull} endpoint to download job metrics. In the process, it executes a SQL query with user-controlled data, allowing for SQL injection.
Severity CVSS v4.0: Pending analysis
Last modification:
28/08/2024

CVE-2024-42362
Publication date:
20/08/2024
Hertzbeat is an open source, real-time monitoring system. Hertzbeat has an authenticated (user role) RCE via unsafe deserialization in /api/monitors/import. This vulnerability is fixed in 1.6.0.
Severity CVSS v4.0: Pending analysis
Last modification:
28/08/2024

CVE-2024-42363
Publication date:
20/08/2024
Prior to 3385, the user-controlled role parameter enters the application in the Kubernetes::RoleVerificationsController. The role parameter flows into the RoleConfigFile initializer and then into the Kubernetes::Util.parse_file method where it is unsafely deserialized using the YAML.load_stream method. This issue may lead to Remote Code Execution (RCE). This vulnerability is fixed in 3385.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2024-43396
Publication date:
20/08/2024
Khoj is an application that creates personal AI agents. The Automation feature allows a user to insert arbitrary HTML inside the task instructions, resulting in a Stored XSS. The q parameter for the /api/automation endpoint does not get correctly sanitized when rendered on the page, resulting in the ability of users to inject arbitrary HTML/JS. This vulnerability is fixed in 1.15.0.
Severity CVSS v4.0: Pending analysis
Last modification:
03/09/2024

CVE-2024-41657
Publication date:
20/08/2024
Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. In Casdoor 1.577.0 and earlier, a logic vulnerability exists in the beego filter CorsFilter that allows any website to make cross domain requests to Casdoor as the logged in user. Due to the a logic error in checking only for a prefix when authenticating the Origin header, any domain can create a valid subdomain with a valid subdomain prefix (Ex: localhost.example.com), allowing the website to make requests to Casdoor as the current signed-in user.
Severity CVSS v4.0: Pending analysis
Last modification:
28/08/2024
Subscribe to Vulnerabilities