Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-10051

Publication date:
20/03/2025
Realchar version v0.0.4 is vulnerable to an unauthenticated denial of service (DoS) attack. The vulnerability exists in the file upload request handling, where appending characters, such as dashes (-), to the end of a multipart boundary in an HTTP request causes the server to continuously process each character. This leads to excessive resource consumption and renders the service unavailable. The issue is unauthenticated and does not require any user interaction, impacting all users of the service.
Severity CVSS v4.0: Pending analysis
Last modification:
20/03/2025

CVE-2024-10109

Publication date:
20/03/2025
A vulnerability in the mintplex-labs/anything-llm repository, as of commit 5c40419, allows low privilege users to access the sensitive API endpoint "/api/system/custom-models". This access enables them to modify the model's API key and base path, leading to potential API key leakage and denial of service on chats.
Severity CVSS v4.0: Pending analysis
Last modification:
20/03/2025

CVE-2024-10110

Publication date:
20/03/2025
In version 3.23.0 of aimhubio/aim, the ScheduledStatusReporter object can be instantiated to run on the main thread of the tracking server, leading to the main thread being blocked indefinitely. This results in a denial of service as the tracking server becomes unable to respond to other requests.
Severity CVSS v4.0: Pending analysis
Last modification:
20/03/2025

CVE-2024-10188

Publication date:
20/03/2025
A vulnerability in BerriAI/litellm, as of commit 26c03c9, allows unauthenticated users to cause a Denial of Service (DoS) by exploiting the use of ast.literal_eval to parse user input. This function is not safe and is prone to DoS attacks, which can crash the litellm Python server.
Severity CVSS v4.0: Pending analysis
Last modification:
20/03/2025

CVE-2024-10096

Publication date:
20/03/2025
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Severity CVSS v4.0: Pending analysis
Last modification:
26/03/2025

CVE-2024-10047

Publication date:
20/03/2025
parisneo/lollms-webui versions v9.9 to the latest are vulnerable to a directory listing vulnerability. An attacker can list arbitrary directories on a Windows system by sending a specially crafted HTTP request to the /open_file endpoint.
Severity CVSS v4.0: Pending analysis
Last modification:
08/07/2025

CVE-2024-10019

Publication date:
20/03/2025
A vulnerability in the `start_app_server` function of parisneo/lollms-webui V12 (Strawberry) allows for path traversal and OS command injection. The function does not properly sanitize the `app_name` parameter, enabling an attacker to upload a malicious `server.py` file and execute arbitrary code by exploiting the path traversal vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
08/07/2025

CVE-2024-0245

Publication date:
20/03/2025
A misconfiguration in the AndroidManifest.xml file in hamza417/inure before build97 allows for task hijacking. This vulnerability permits malicious applications to inherit permissions of the vulnerable app, potentially leading to the exposure of sensitive information. An attacker can create a malicious app that hijacks the legitimate Inure app, intercepting and stealing sensitive information when installed on the victim's device. This issue affects all Android versions before Android 11.
Severity CVSS v4.0: Pending analysis
Last modification:
20/03/2025

CVE-2024-54016

Publication date:
20/03/2025
Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in Apache Seata (incubating).<br /> <br /> This issue affects Apache Seata (incubating): through
Severity CVSS v4.0: Pending analysis
Last modification:
01/04/2025

CVE-2024-47552

Publication date:
20/03/2025
Deserialization of Untrusted Data vulnerability in Apache Seata (incubating).<br /> <br /> This issue affects Apache Seata (incubating): from 2.0.0 before 2.2.0.<br /> <br /> Users are recommended to upgrade to version 2.2.0, which fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
01/04/2025

CVE-2024-12016

Publication date:
20/03/2025
Improper Neutralization of Special Elements used in an SQL Command (&amp;#39;SQL Injection&amp;#39;) vulnerability in CM Informatics CM News allows SQL Injection.This issue affects CM News: through 6.0.<br /> <br /> <br /> <br /> <br /> <br /> NOTE: The vendor was contacted and it was learned that the product is not supported.
Severity CVSS v4.0: Pending analysis
Last modification:
20/03/2025

CVE-2025-1385

Publication date:
20/03/2025
When the library bridge feature is enabled, the clickhouse-library-bridge exposes an HTTP API on localhost. This allows clickhouse-server to dynamically load a library from a specified path and execute it in an isolated process. Combined with the ClickHouse table engine functionality that permits file uploads to specific directories, a misconfigured server can be exploited by an attacker with privilege to access to both table engines to execute arbitrary code on the ClickHouse server.<br /> <br /> You can check if your ClickHouse server is vulnerable to this vulnerability by inspecting the configuration file and confirming if the following setting is enabled:<br /> <br /> <br /> 9019<br />
Severity CVSS v4.0: HIGH
Last modification:
20/03/2025