Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-42370
Publication date:
12/08/2024
Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. In versions 2.10.0 and prior, Litestar's `docs-preview.yml` workflow is vulnerable to Environment Variable injection which may lead to secret exfiltration and repository manipulation. This issue grants a malicious actor the permission to write issues, read metadata, and write pull requests. In addition, the `DOCS_PREVIEW_DEPLOY_TOKEN` is exposed to the attacker. Commit 84d351e96aaa2a1338006d6e7221eded161f517b contains a fix for this issue.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2024-42467
Publication date:
12/08/2024
openHAB, a provider of open-source home automation software, has add-ons including the visualization add-on CometVisu. Prior to version 4.2.1, the proxy endpoint of openHAB's CometVisu add-on can be accessed without authentication. This proxy-feature can be exploited as Server-Side Request Forgery (SSRF) to induce GET HTTP requests to internal-only servers, in case openHAB is exposed in a non-private network. Furthermore, this proxy-feature can also be exploited as a Cross-Site Scripting (XSS) vulnerability, as an attacker is able to re-route a request to their server and return a page with malicious JavaScript code. Since the browser receives this data directly from the openHAB CometVisu UI, this JavaScript code will be executed with the origin of the CometVisu UI. This allows an attacker to exploit call endpoints on an openHAB server even if the openHAB server is located in a private network. (e.g. by sending an openHAB admin a link that proxies malicious JavaScript.) This issue may lead up to Remote Code Execution (RCE) when chained with other vulnerabilities. Users should upgrade to version 4.2.1 of the CometVisu add-on of openHAB to receive a patch.
Severity CVSS v4.0: Pending analysis
Last modification:
29/08/2024

CVE-2024-42468
Publication date:
12/08/2024
openHAB, a provider of open-source home automation software, has add-ons including the visualization add-on CometVisu. CometVisuServlet in versions prior to 4.2.1 is susceptible to an unauthenticated path traversal vulnerability. Local files on the server can be requested via HTTP GET on the CometVisuServlet. This issue may lead to information disclosure. Users should upgrade to version 4.2.1 of the CometVisu add-on of openHAB to receive a patch.
Severity CVSS v4.0: Pending analysis
Last modification:
12/09/2024

CVE-2024-42166
Publication date:
12/08/2024
The function "generate_app_certificates" in lib/app_certificates.js of FIWARE Keyrock
Severity CVSS v4.0: Pending analysis
Last modification:
29/08/2024

CVE-2024-42167
Publication date:
12/08/2024
The function "generate_app_certificates" in controllers/saml2/saml2.js of FIWARE Keyrock
Severity CVSS v4.0: Pending analysis
Last modification:
29/08/2024

CVE-2024-42001
Publication date:
12/08/2024
An improper authentication vulnerability affecting Vonets<br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> industrial wifi bridge relays and wifi bridge repeaters, software versions <br /> 3.3.23.6.9 and prior enables an unauthenticated remote attacker to <br /> bypass authentication via a specially crafted direct request when <br /> another user has an active session.
Severity CVSS v4.0: Pending analysis
Last modification:
20/08/2024

CVE-2024-42163
Publication date:
12/08/2024
Insufficiently random values for generating password reset token in FIWARE Keyrock
Severity CVSS v4.0: Pending analysis
Last modification:
29/08/2024

CVE-2024-42164
Publication date:
12/08/2024
Insufficiently random values for generating password reset token in FIWARE Keyrock
Severity CVSS v4.0: Pending analysis
Last modification:
29/08/2024

CVE-2024-42165
Publication date:
12/08/2024
Insufficiently random values for generating activation token in FIWARE Keyrock
Severity CVSS v4.0: Pending analysis
Last modification:
29/08/2024

CVE-2024-41482
Publication date:
12/08/2024
Typora before 1.9.3 Markdown editor has a cross-site scripting (XSS) vulnerability via the MathJax component.
Severity CVSS v4.0: Pending analysis
Last modification:
25/03/2025

CVE-2024-41570
Publication date:
12/08/2024
An Unauthenticated Server-Side Request Forgery (SSRF) in demon callback handling in Havoc 2 0.7 allows attackers to send arbitrary network traffic originating from the team server.
Severity CVSS v4.0: Pending analysis
Last modification:
29/08/2024

CVE-2024-41577
Publication date:
12/08/2024
An arbitrary file upload vulnerability in the Ueditor component of productinfoquick v1.0 allows attackers to execute arbitrary code via uploading a crafted PNG file.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026
Subscribe to Vulnerabilities