Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-6127
Publication date:
27/06/2024
BC Security Empire before 5.9.3 is vulnerable to a path traversal issue that can lead to remote code execution. A remote, unauthenticated attacker can exploit this vulnerability over HTTP by acting as a normal agent, completing all cryptographic handshakes, and then triggering an upload of payload data containing a malicious path.
Severity CVSS v4.0: Pending analysis
Last modification:
25/09/2025

CVE-2024-38523
Publication date:
27/06/2024
Hush Line is a free and open-source, anonymous-tip-line-as-a-service for organizations or individuals. The TOTP authentication flow has multiple issues that weakens its one-time nature. Specifically, the lack of 2FA for changing security settings allows attacker with CSRF or XSS primitives to change such settings without user interaction and credentials are required. This vulnerability has been patched in version 0.10.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
28/06/2024

CVE-2024-39129
Publication date:
27/06/2024
Heap Buffer Overflow vulnerability in DumpTS v0.1.0-nightly allows attackers to cause a denial of service via the function PushTSBuf() at /src/PayloadBuf.cpp.
Severity CVSS v4.0: Pending analysis
Last modification:
06/12/2024

CVE-2024-39130
Publication date:
27/06/2024
A NULL Pointer Dereference discovered in DumpTS v0.1.0-nightly allows attackers to cause a denial of service via the function DumpOneStream() at /src/DumpStream.cpp.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2024

CVE-2024-39133
Publication date:
27/06/2024
Heap Buffer Overflow vulnerability in zziplib v0.13.77 allows attackers to cause a denial of service via the __zzip_parse_root_directory() function at /zzip/zip.c.
Severity CVSS v4.0: Pending analysis
Last modification:
07/07/2025

CVE-2024-39207
Publication date:
27/06/2024
lua-shmem v1.0-1 was discovered to contain a buffer overflow via the shmem_write function.
Severity CVSS v4.0: Pending analysis
Last modification:
23/08/2024

CVE-2024-39208
Publication date:
27/06/2024
luci-app-lucky v2.8.3 was discovered to contain hardcoded credentials.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2024

CVE-2024-31802
Publication date:
27/06/2024
DESIGNA ABACUS v.18 and before allows an attacker to bypass the payment process via a crafted QR code.
Severity CVSS v4.0: Pending analysis
Last modification:
18/11/2024

CVE-2024-6139
Publication date:
27/06/2024
A path traversal vulnerability exists in the XTTS server of the parisneo/lollms package version v9.6. This vulnerability allows an attacker to write audio files to arbitrary locations on the system and enumerate file paths. The issue arises from improper validation of user-provided file paths in the `tts_to_file` endpoint.
Severity CVSS v4.0: Pending analysis
Last modification:
27/06/2024

CVE-2024-6250
Publication date:
27/06/2024
An absolute path traversal vulnerability exists in parisneo/lollms-webui v9.6, specifically in the `open_file` endpoint of `lollms_advanced.py`. The `sanitize_path` function with `allow_absolute_path=True` allows an attacker to access arbitrary files and directories on a Windows system. This vulnerability can be exploited to read any file and list arbitrary directories on the affected system.
Severity CVSS v4.0: Pending analysis
Last modification:
09/07/2025

CVE-2024-6038
Publication date:
27/06/2024
A Regular Expression Denial of Service (ReDoS) vulnerability exists in the latest version of gaizhenbiao/chuanhuchatgpt. The vulnerability is located in the filter_history function within the utils.py module. This function takes a user-provided keyword and attempts to match it against chat history filenames using a regular expression search. Due to the lack of sanitization or validation of the keyword parameter, an attacker can inject a specially crafted regular expression, leading to a denial of service condition. This can cause severe degradation of service performance and potential system unavailability.
Severity CVSS v4.0: Pending analysis
Last modification:
15/10/2025

CVE-2024-6085
Publication date:
27/06/2024
A path traversal vulnerability exists in the XTTS server included in the lollms package, version v9.6. This vulnerability arises from the ability to perform an unauthenticated root folder settings change. Although the read file endpoint is protected against path traversals, this protection can be bypassed by changing the root folder to &amp;#39;/&amp;#39;. This allows attackers to read arbitrary files on the system. Additionally, the output folders can be changed to write arbitrary audio files to any location on the system.
Severity CVSS v4.0: Pending analysis
Last modification:
27/06/2024
Subscribe to Vulnerabilities