Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-36024
Publication date:
30/05/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/display: Disable idle reallow as part of command/gpint execution<br /> <br /> [Why]<br /> Workaroud for a race condition where DMCUB is in the process of<br /> committing to IPS1 during the handshake causing us to miss the<br /> transition into IPS2 and touch the INBOX1 RPTR causing a HW hang.<br /> <br /> [How]<br /> Disable the reallow to ensure that we have enough of a gap between entry<br /> and exit and we&amp;#39;re not seeing back-to-back wake_and_executes.
Severity CVSS v4.0: Pending analysis
Last modification:
30/09/2025

CVE-2024-36025
Publication date:
30/05/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: qla2xxx: Fix off by one in qla_edif_app_getstats()<br /> <br /> The app_reply-&gt;elem[] array is allocated earlier in this function and it<br /> has app_req.num_ports elements. Thus this &gt; comparison needs to be &gt;= to<br /> prevent memory corruption.
Severity CVSS v4.0: Pending analysis
Last modification:
18/09/2025

CVE-2024-36026
Publication date:
30/05/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/pm: fixes a random hang in S4 for SMU v13.0.4/11<br /> <br /> While doing multiple S4 stress tests, GC/RLC/PMFW get into<br /> an invalid state resulting into hard hangs.<br /> <br /> Adding a GFX reset as workaround just before sending the<br /> MP1_UNLOAD message avoids this failure.
Severity CVSS v4.0: Pending analysis
Last modification:
30/09/2025

CVE-2024-3924
Publication date:
30/05/2024
A code injection vulnerability exists in the huggingface/text-generation-inference repository, specifically within the `autodocs.yml` workflow file. The vulnerability arises from the insecure handling of the `github.head_ref` user input, which is used to dynamically construct a command for installing a software package. An attacker can exploit this by forking the repository, creating a branch with a malicious payload as the name, and then opening a pull request to the base repository. Successful exploitation could lead to arbitrary code execution within the context of the GitHub Actions runner. This issue affects versions up to and including v2.0.0 and was fixed in version 2.0.0.
Severity CVSS v4.0: Pending analysis
Last modification:
30/05/2024

CVE-2024-4330
Publication date:
30/05/2024
A path traversal vulnerability was identified in the parisneo/lollms-webui repository, specifically within version 9.6. The vulnerability arises due to improper handling of user-supplied input in the &amp;#39;list_personalities&amp;#39; endpoint. By crafting a malicious HTTP request, an attacker can traverse the directory structure and view the contents of any folder, albeit limited to subfolder names only. This issue was demonstrated via a specific HTTP request that manipulated the &amp;#39;category&amp;#39; parameter to access arbitrary directories. The vulnerability is present in the code located at the &amp;#39;endpoints/lollms_advanced.py&amp;#39; file.
Severity CVSS v4.0: Pending analysis
Last modification:
09/07/2025

CVE-2024-36020
Publication date:
30/05/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> i40e: fix vf may be used uninitialized in this function warning<br /> <br /> To fix the regression introduced by commit 52424f974bc5, which causes<br /> servers hang in very hard to reproduce conditions with resets races.<br /> Using two sources for the information is the root cause.<br /> In this function before the fix bumping v didn&amp;#39;t mean bumping vf<br /> pointer. But the code used this variables interchangeably, so stale vf<br /> could point to different/not intended vf.<br /> <br /> Remove redundant "v" variable and iterate via single VF pointer across<br /> whole function instead to guarantee VF pointer validity.
Severity CVSS v4.0: Pending analysis
Last modification:
23/12/2025

CVE-2024-35504
Publication date:
30/05/2024
A cross-site scripting (XSS) vulnerability in the login page of FineSoft v8.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the URL:errorname parameter after a failed login attempt.
Severity CVSS v4.0: Pending analysis
Last modification:
27/09/2025

CVE-2024-36018
Publication date:
30/05/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nouveau/uvmm: fix addr/range calcs for remap operations<br /> <br /> dEQP-VK.sparse_resources.image_rebind.2d_array.r64i.128_128_8<br /> was causing a remap operation like the below.<br /> <br /> op_remap: prev: 0000003fffed0000 00000000000f0000 00000000a5abd18a 0000000000000000<br /> op_remap: next:<br /> op_remap: unmap: 0000003fffed0000 0000000000100000 0<br /> op_map: map: 0000003ffffc0000 0000000000010000 000000005b1ba33c 00000000000e0000<br /> <br /> This was resulting in an unmap operation from 0x3fffed0000+0xf0000, 0x100000<br /> which was corrupting the pagetables and oopsing the kernel.<br /> <br /> Fixes the prev + unmap range calcs to use start/end and map back to addr/range.
Severity CVSS v4.0: Pending analysis
Last modification:
30/09/2025

CVE-2024-5516
Publication date:
30/05/2024
A vulnerability was found in itsourcecode Online Blood Bank Management System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file massage.php. The manipulation of the argument bid leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-266587.
Severity CVSS v4.0: MEDIUM
Last modification:
11/02/2025

CVE-2024-5515
Publication date:
30/05/2024
A vulnerability was found in SourceCodester Stock Management System 1.0. It has been classified as critical. Affected is an unknown function of the file createBrand.php. The manipulation of the argument brandName leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-266586 is the identifier assigned to this vulnerability.
Severity CVSS v4.0: MEDIUM
Last modification:
10/02/2025

CVE-2024-3584
Publication date:
30/05/2024
qdrant/qdrant version 1.9.0-dev is vulnerable to path traversal due to improper input validation in the `/collections/{name}/snapshots/upload` endpoint. By manipulating the `name` parameter through URL encoding, an attacker can upload a file to an arbitrary location on the system, such as `/root/poc.txt`. This vulnerability allows for the writing and overwriting of arbitrary files on the server, potentially leading to a full takeover of the system. The issue is fixed in version 1.9.0.
Severity CVSS v4.0: Pending analysis
Last modification:
10/07/2025

CVE-2024-36017
Publication date:
30/05/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rtnetlink: Correct nested IFLA_VF_VLAN_LIST attribute validation<br /> <br /> Each attribute inside a nested IFLA_VF_VLAN_LIST is assumed to be a<br /> struct ifla_vf_vlan_info so the size of such attribute needs to be at least<br /> of sizeof(struct ifla_vf_vlan_info) which is 14 bytes.<br /> The current size validation in do_setvfinfo is against NLA_HDRLEN (4 bytes)<br /> which is less than sizeof(struct ifla_vf_vlan_info) so this validation<br /> is not enough and a too small attribute might be cast to a<br /> struct ifla_vf_vlan_info, this might result in an out of bands<br /> read access when accessing the saved (casted) entry in ivvl.
Severity CVSS v4.0: Pending analysis
Last modification:
17/12/2025
Subscribe to Vulnerabilities