Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-3425
Publication date:
25/08/2023
Out-of-bounds read issue in M-Files Server versions below 23.8.12892.6 and LTS Service Release Versions before 23.2 LTS SR3 allows unauthenticated user to read restricted amount of bytes from memory.
Severity CVSS v4.0: Pending analysis
Last modification:
23/02/2026

CVE-2023-32518
Publication date:
25/08/2023
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Ono Oogami WP Chinese Conversion plugin
Severity CVSS v4.0: Pending analysis
Last modification:
29/08/2023

CVE-2023-32757
Publication date:
25/08/2023
<br /> e-Excellence U-Office Force file uploading function does not restrict upload of file with dangerous type. An unauthenticated remote attacker without logging the service can exploit this vulnerability to upload arbitrary files to perform arbitrary command or disrupt service.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
29/08/2023

CVE-2023-32756
Publication date:
25/08/2023
<br /> e-Excellence U-Office Force has a path traversal vulnerability within its file uploading and downloading functions. An unauthenticated remote attacker can exploit this vulnerability to read arbitrary system files, but can’t control system or disrupt service.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
29/08/2023

CVE-2023-41173
Publication date:
25/08/2023
AdGuard DNS before 2.2 allows remote attackers to cause a denial of service via malformed UDP packets.
Severity CVSS v4.0: Pending analysis
Last modification:
14/01/2026

CVE-2023-32755
Publication date:
25/08/2023
<br /> e-Excellence U-Office Force generates an error message in webiste service. An unauthenticated remote attacker can obtain partial sensitive system information from error message by sending a crafted command.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
30/08/2023

CVE-2023-40530
Publication date:
25/08/2023
Improper authorization in handler for custom URL scheme issue in &amp;#39;Skylark&amp;#39; App for Android 6.2.13 and earlier and &amp;#39;Skylark&amp;#39; App for iOS 6.2.13 and earlier allows an attacker to lead a user to access an arbitrary website via another application installed on the user&amp;#39;s device.
Severity CVSS v4.0: Pending analysis
Last modification:
31/08/2023

CVE-2023-4520
Publication date:
25/08/2023
The FV Flowplayer Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘_fv_player_user_video’ parameter saved via the &amp;#39;save&amp;#39; function hooked via init, and the plugin is also vulnerable to Arbitrary Usermeta Update via the &amp;#39;save&amp;#39; function in versions up to, and including, 7.5.37.7212 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, and makes it possible to update the user metas arbitrarily, but the meta value can only be a string.
Severity CVSS v4.0: Pending analysis
Last modification:
08/04/2026

CVE-2023-40599
Publication date:
25/08/2023
Regular expression Denial-of-Service (ReDoS) exists in multiple add-ons for Mailform Pro CGI 4.3.1.3 and earlier, which allows a remote unauthenticated attacker to cause a denial-of-service condition. Affected add-ons are as follows: call/call.js, prefcodeadv/search.cgi, estimate/estimate.js, search/search.js, suggest/suggest.js, and coupon/coupon.js.
Severity CVSS v4.0: Pending analysis
Last modification:
31/08/2023

CVE-2023-40570
Publication date:
25/08/2023
Datasette is an open source multi-tool for exploring and publishing data. This bug affects Datasette instances running a Datasette 1.0 alpha - 1.0a0, 1.0a1, 1.0a2 or 1.0a3 - in an online accessible location but with authentication enabled using a plugin such as datasette-auth-passwords. The `/-/api` API explorer endpoint could reveal the names of both databases and tables - but not their contents - to an unauthenticated user. Datasette 1.0a4 has a fix for this issue. This will block access to the API explorer but will still allow access to the Datasette read or write JSON APIs, as those use different URL patterns within the Datasette `/database` hierarchy. This issue is patched in version 1.0a4.
Severity CVSS v4.0: Pending analysis
Last modification:
31/08/2023

CVE-2023-40577
Publication date:
25/08/2023
Alertmanager handles alerts sent by client applications such as the Prometheus server. An attacker with the permission to perform POST requests on the /api/v1/alerts endpoint could be able to execute arbitrary JavaScript code on the users of Prometheus Alertmanager. This issue has been fixed in Alertmanager version 0.2.51.
Severity CVSS v4.0: Pending analysis
Last modification:
24/10/2023

CVE-2023-40217
Publication date:
25/08/2023
An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as "not connected" and won&amp;#39;t initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025
Subscribe to Vulnerabilities