Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-3569

Publication date:

10/04/2024

A Denial of Service (DoS) vulnerability exists in the mintplex-labs/anything-llm repository when the application is running in &#39;just me&#39; mode with a password. An attacker can exploit this vulnerability by making a request to the endpoint using the [validatedRequest] middleware with a specially crafted &#39;Authorization:&#39; header. This vulnerability leads to uncontrolled resource consumption, causing a DoS condition.

Severity CVSS v4.0: Pending analysis

Last modification:

09/07/2025

CVE-2024-3570

Publication date:

10/04/2024

A stored Cross-Site Scripting (XSS) vulnerability exists in the chat functionality of the mintplex-labs/anything-llm repository, allowing attackers to execute arbitrary JavaScript in the context of a user&#39;s session. By manipulating the ChatBot responses, an attacker can inject malicious scripts to perform actions on behalf of the user, such as creating a new admin account or changing the user&#39;s password, leading to a complete takeover of the AnythingLLM application. The vulnerability stems from the improper sanitization of user and ChatBot input, specifically through the use of `dangerouslySetInnerHTML`. Successful exploitation requires convincing an admin to add a malicious LocalAI ChatBot to their AnythingLLM instance.

Severity CVSS v4.0: Pending analysis

Last modification:

09/07/2025

CVE-2024-3383

Publication date:

10/04/2024

A vulnerability in how Palo Alto Networks PAN-OS software processes data received from Cloud Identity Engine (CIE) agents enables modification of User-ID groups. This impacts user access to network resources where users may be inappropriately denied or allowed access to resources based on your existing Security Policy rules.

Severity CVSS v4.0: Pending analysis

Last modification:

24/01/2025

CVE-2024-3384

Publication date:

10/04/2024

A vulnerability in Palo Alto Networks PAN-OS software enables a remote attacker to reboot PAN-OS firewalls when receiving Windows New Technology LAN Manager (NTLM) packets from Windows servers. Repeated attacks eventually cause the firewall to enter maintenance mode, which requires manual intervention to bring the firewall back online.

Severity CVSS v4.0: Pending analysis

Last modification:

24/01/2025

CVE-2024-3385

Publication date:

10/04/2024

A packet processing mechanism in Palo Alto Networks PAN-OS software enables a remote attacker to reboot hardware-based firewalls. Repeated attacks eventually cause the firewall to enter maintenance mode, which requires manual intervention to bring the firewall back online.<br /> <br /> This affects the following hardware firewall models:<br /> - PA-5400 Series firewalls<br /> - PA-7000 Series firewalls

Severity CVSS v4.0: Pending analysis

Last modification:

24/01/2025

CVE-2024-3386

Publication date:

10/04/2024

An incorrect string comparison vulnerability in Palo Alto Networks PAN-OS software prevents Predefined Decryption Exclusions from functioning as intended. This can cause traffic destined for domains that are not specified in Predefined Decryption Exclusions to be unintentionally excluded from decryption.

Severity CVSS v4.0: Pending analysis

Last modification:

24/01/2025

CVE-2024-3388

Publication date:

10/04/2024

A vulnerability in the GlobalProtect Gateway in Palo Alto Networks PAN-OS software enables an authenticated attacker to impersonate another user and send network packets to internal assets. However, this vulnerability does not allow the attacker to receive response packets from those internal assets.

Severity CVSS v4.0: Pending analysis

Last modification:

24/01/2025

CVE-2024-3387

Publication date:

10/04/2024

A weak (low bit strength) device certificate in Palo Alto Networks Panorama software enables an attacker to perform a meddler-in-the-middle (MitM) attack to capture encrypted traffic between the Panorama management server and the firewalls it manages. With sufficient computing resources, the attacker could break encrypted communication and expose sensitive information that is shared between the management server and the firewalls.

Severity CVSS v4.0: Pending analysis

Last modification:

30/01/2026

CVE-2024-3098

Publication date:

10/04/2024

A vulnerability was identified in the `exec_utils` class of the `llama_index` package, specifically within the `safe_eval` function, allowing for prompt injection leading to arbitrary code execution. This issue arises due to insufficient validation of input, which can be exploited to bypass method restrictions and execute unauthorized code. The vulnerability is a bypass of the previously addressed CVE-2023-39662, demonstrated through a proof of concept that creates a file on the system by exploiting the flaw.

Severity CVSS v4.0: Pending analysis

Last modification:

10/04/2024

CVE-2024-3101

Publication date:

10/04/2024

In mintplex-labs/anything-llm, an improper input validation vulnerability allows attackers to escalate privileges by deactivating &#39;Multi-User Mode&#39;. By sending a specially crafted curl request with the &#39;multi_user_mode&#39; parameter set to false, an attacker can deactivate &#39;Multi-User Mode&#39;. This action permits the creation of a new admin user without requiring a password, leading to unauthorized administrative access.

Severity CVSS v4.0: Pending analysis

Last modification:

09/07/2025

CVE-2024-3283

Publication date:

10/04/2024

A vulnerability in mintplex-labs/anything-llm allows users with manager roles to escalate their privileges to admin roles through a mass assignment issue. The &#39;/admin/system-preferences&#39; API endpoint improperly authorizes manager-level users to modify the &#39;multi_user_mode&#39; system variable, enabling them to access the &#39;/api/system/enable-multi-user&#39; endpoint and create a new admin user. This issue results from the endpoint accepting a full JSON object in the request body without proper validation of modifiable fields, leading to unauthorized modification of system settings and subsequent privilege escalation.

Severity CVSS v4.0: Pending analysis

Last modification:

09/07/2025

CVE-2024-3382

Publication date:

10/04/2024

A memory leak exists in Palo Alto Networks PAN-OS software that enables an attacker to send a burst of crafted packets through the firewall that eventually prevents the firewall from processing traffic. This issue applies only to PA-5400 Series devices that are running PAN-OS software with the SSL Forward Proxy feature enabled.

Severity CVSS v4.0: Pending analysis

Last modification:

22/01/2025

Subscribe to Vulnerabilities