Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-49362
Publication date:
14/11/2024
Joplin is a free, open source note taking and to-do application. Joplin-desktop has a vulnerability that leads to remote code execution (RCE) when a user clicks on an link within untrusted notes. The issue arises due to insufficient sanitization of tag attributes introduced by the Mermaid. This vulnerability allows the execution of untrusted HTML content within the Electron window, which has full access to Node.js APIs, enabling arbitrary shell command execution.
Severity CVSS v4.0: Pending analysis
Last modification:
07/05/2025

CVE-2024-4311
Publication date:
14/11/2024
zenml-io/zenml version 0.56.4 is vulnerable to an account takeover due to the lack of rate-limiting in the password change function. An attacker can brute-force the current password in the 'Update Password' function, allowing them to take over the user's account. This vulnerability is due to the absence of rate-limiting on the '/api/v1/current-user' endpoint, which does not restrict the number of attempts an attacker can make to guess the current password. Successful exploitation results in the attacker being able to change the password and take control of the account.
Severity CVSS v4.0: Pending analysis
Last modification:
07/05/2025

CVE-2024-4343
Publication date:
14/11/2024
A Python command injection vulnerability exists in the `SagemakerLLM` class's `complete()` method within `./private_gpt/components/llm/custom/sagemaker.py` of the imartinez/privategpt application, versions up to and including 0.3.0. The vulnerability arises due to the use of the `eval()` function to parse a string received from a remote AWS SageMaker LLM endpoint into a dictionary. This method of parsing is unsafe as it can execute arbitrary Python code contained within the response. An attacker can exploit this vulnerability by manipulating the response from the AWS SageMaker LLM endpoint to include malicious Python code, leading to potential execution of arbitrary commands on the system hosting the application. The issue is fixed in version 0.6.0.
Severity CVSS v4.0: Pending analysis
Last modification:
17/07/2025

CVE-2024-50823
Publication date:
14/11/2024
A SQL Injection vulnerability was found in /admin/login.php in kashipara E-learning Management System Project 1.0 via the username and password parameters.
Severity CVSS v4.0: Pending analysis
Last modification:
18/11/2024

CVE-2024-3502
Publication date:
14/11/2024
In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists where account recovery hashes of users are inadvertently exposed to unauthorized actors. This issue occurs when authenticated users inspect responses from `GET /v1/users/me` and `GET /v1/users/me/org` endpoints. The exposed account recovery hashes, while not directly related to user passwords, represent sensitive information that should not be accessible to unauthorized parties. Exposing these hashes could potentially facilitate account recovery attacks or other malicious activities. The vulnerability was addressed in version 1.2.6.
Severity CVSS v4.0: Pending analysis
Last modification:
15/10/2025

CVE-2024-1682
Publication date:
14/11/2024
An unclaimed Amazon S3 bucket, 'codeconf', is referenced in an audio file link within the .rst documentation file. This bucket has been claimed by an external party. The use of this unclaimed S3 bucket could lead to data integrity issues, data leakage, availability problems, loss of trustworthiness, and potential further attacks if the bucket is used to host malicious content or as a pivot point for further attacks.
Severity CVSS v4.0: Pending analysis
Last modification:
18/11/2024

CVE-2024-3379
Publication date:
14/11/2024
In lunary-ai/lunary versions 1.2.2 through 1.2.6, an incorrect authorization vulnerability allows unprivileged users to re-generate the private key for projects they do not have access to. Specifically, a user with a 'Member' role can issue a request to regenerate the private key of a project without having the necessary permissions or being assigned to that project. This issue was fixed in version 1.2.7.
Severity CVSS v4.0: Pending analysis
Last modification:
18/11/2024

CVE-2024-3501
Publication date:
14/11/2024
In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists due to the inclusion of single-use tokens in the responses of `GET /v1/users/me` and `GET /v1/users/me/org` API endpoints. These tokens, intended for sensitive operations such as password resets or account verification, are exposed to unauthorized actors, potentially allowing them to perform actions on behalf of the user. This issue was addressed in version 1.2.6, where the exposure of single-use tokens in user-facing queries was mitigated.
Severity CVSS v4.0: Pending analysis
Last modification:
30/01/2025

CVE-2024-50834
Publication date:
14/11/2024
A SQL Injection was found in /admin/teachers.php in KASHIPARA E-learning Management System Project 1.0 via the firstname and lastname parameters.
Severity CVSS v4.0: Pending analysis
Last modification:
18/11/2024

CVE-2024-50835
Publication date:
14/11/2024
A SQL Injection vulnerability was found in /admin/edit_student.php in KASHIPARA E-learning Management System Project 1.0 via the cys, un, ln, fn, and id parameters.
Severity CVSS v4.0: Pending analysis
Last modification:
18/11/2024

CVE-2024-50836
Publication date:
14/11/2024
A Stored Cross-Site Scripting (XSS) vulnerability was found in /admin/teachers.php in KASHIPARA E-learning Management System Project 1.0. This vulnerability allows remote attackers to execute arbitrary scripts via the firstname and lastname parameters.
Severity CVSS v4.0: Pending analysis
Last modification:
18/11/2024

CVE-2024-6068
Publication date:
14/11/2024
A memory corruption vulnerability exists in the affected products when parsing DFT files. Local threat actors can exploit this issue to disclose information and to execute arbitrary code. To exploit this vulnerability a legitimate user must open a malicious DFT file.
Severity CVSS v4.0: HIGH
Last modification:
15/11/2024
Subscribe to Vulnerabilities