Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-12074
Publication date:
20/03/2025
A Denial of Service (DoS) vulnerability was discovered in the file upload feature of automatic1111/stable-diffusion-webui version 1.10.0. The vulnerability is due to improper handling of form-data with a large filename in the file upload request. By sending a payload with an excessively large filename, the server becomes overwhelmed and unresponsive, leading to unavailability for legitimate users. This issue can be exploited without authentication, making it highly scalable and increasing the risk of exploitation.
Severity CVSS v4.0: Pending analysis
Last modification:
20/03/2025

CVE-2024-12215
Publication date:
20/03/2025
In kedro-org/kedro version 0.19.8, the `pull_package()` API function allows users to download and extract micro packages from the Internet. However, the function `project_wheel_metadata()` within the code path can execute the `setup.py` file inside the tar file, leading to remote code execution (RCE) by running arbitrary commands on the victim's machine.
Severity CVSS v4.0: Pending analysis
Last modification:
20/03/2025

CVE-2024-12216
Publication date:
20/03/2025
A vulnerability in the `ImageClassificationDataset.from_csv()` API of the `dmlc/gluon-cv` repository, version 0.10.0, allows for arbitrary file write. The function downloads and extracts `tar.gz` files from URLs without proper sanitization, making it susceptible to a TarSlip vulnerability. Attackers can exploit this by crafting malicious tar files that, when extracted, can overwrite files on the victim's system via path traversal or faked symlinks.
Severity CVSS v4.0: Pending analysis
Last modification:
20/03/2025

CVE-2024-12217
Publication date:
20/03/2025
A vulnerability in the gradio-app/gradio repository, version git 67e4044, allows for path traversal on Windows OS. The implementation of the blocked_path functionality, which is intended to disallow users from reading certain files, is flawed. Specifically, while the application correctly blocks access to paths like 'C:/tmp/secret.txt', it fails to block access when using NTFS Alternate Data Streams (ADS) syntax, such as 'C:/tmp/secret.txt::$DATA'. This flaw can lead to unauthorized reading of blocked file paths.
Severity CVSS v4.0: Pending analysis
Last modification:
20/03/2025

CVE-2024-12374
Publication date:
20/03/2025
A stored cross-site scripting (XSS) vulnerability exists in automatic1111/stable-diffusion-webui version git 82a973c. An attacker can upload an HTML file, which the application interprets as content-type application/html. If a victim accesses the malicious link, it will execute arbitrary JavaScript in the victim's browser.
Severity CVSS v4.0: Pending analysis
Last modification:
20/03/2025

CVE-2024-12375
Publication date:
20/03/2025
A local file inclusion vulnerability was identified in automatic1111/stable-diffusion-webui, affecting version git 82a973c. This vulnerability allows an attacker to read arbitrary files on the system by sending a specially crafted request to the application.
Severity CVSS v4.0: Pending analysis
Last modification:
20/03/2025

CVE-2024-12376
Publication date:
20/03/2025
A Server-Side Request Forgery (SSRF) vulnerability was identified in the lm-sys/fastchat web server, specifically in the affected version git 2c68a13. This vulnerability allows an attacker to access internal server resources and data that are otherwise inaccessible, such as AWS metadata credentials.
Severity CVSS v4.0: Pending analysis
Last modification:
20/03/2025

CVE-2024-11958
Publication date:
20/03/2025
A SQL injection vulnerability exists in the `duckdb_retriever` component of the run-llama/llama_index repository, specifically in the latest version. The vulnerability arises from the construction of SQL queries without using prepared statements, allowing an attacker to inject arbitrary SQL code. This can lead to remote code execution (RCE) by installing the shellfs extension and executing malicious commands.
Severity CVSS v4.0: Pending analysis
Last modification:
20/03/2025

CVE-2024-12029
Publication date:
20/03/2025
A remote code execution vulnerability exists in invoke-ai/invokeai versions 5.3.1 through 5.4.2 via the /api/v2/models/install API. The vulnerability arises from unsafe deserialization of model files using torch.load without proper validation. Attackers can exploit this by embedding malicious code in model files, which is executed upon loading. This issue is fixed in version 5.4.3.
Severity CVSS v4.0: Pending analysis
Last modification:
20/03/2025

CVE-2024-12039
Publication date:
20/03/2025
langgenius/dify version v0.10.1 contains a vulnerability where there are no limits applied to the number of code guess attempts for password reset. This allows an unauthenticated attacker to reset owner, admin, or other user passwords within a few hours by guessing the six-digit code, resulting in a complete compromise of the application.
Severity CVSS v4.0: Pending analysis
Last modification:
20/03/2025

CVE-2024-12044
Publication date:
20/03/2025
A remote code execution vulnerability exists in open-mmlab/mmdetection version v3.3.0. The vulnerability is due to the use of the `pickle.loads()` function in the `all_reduce_dict()` distributed training API without proper sanitization. This allows an attacker to execute arbitrary code by broadcasting a malicious payload to the distributed training network.
Severity CVSS v4.0: Pending analysis
Last modification:
20/03/2025

CVE-2024-12048
Publication date:
20/03/2025
An IDOR (Insecure Direct Object Reference) vulnerability exists in transformeroptimus/superagi version v0.0.14. The application fails to properly check authorization for multiple API endpoints, allowing attackers to view, edit, and delete other users' information without proper authorization. Affected endpoints include but are not limited to /get/project/{project_id}, /get/schedule_data/{agent_id}, /delete/{agent_id}, /get/organisation/{organisation_id}, and /get/user/{user_id}.
Severity CVSS v4.0: Pending analysis
Last modification:
20/03/2025
Subscribe to Vulnerabilities