Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-27449
Publication date:
11/08/2023
Cross Site Scripting (XSS) vulnerability in Query Report feature in Zoho ManageEngine Password Manager Pro version 11001, allows remote attackers to execute arbitrary code and steal cookies via crafted JavaScript payload.
Severity CVSS v4.0: Pending analysis
Last modification:
16/08/2023

CVE-2020-25915
Publication date:
11/08/2023
Cross Site Scripting (XSS) vulnerability in UserController.php in ThinkCMF version 5.1.5, allows attackers to execute arbitrary code via crafted user_login.
Severity CVSS v4.0: Pending analysis
Last modification:
16/08/2023

CVE-2020-24075
Publication date:
11/08/2023
Cross Site Scripting (XSS) vulnerability in Name Input Field in Contact Us form in Laborator Kalium before 3.0.4, allows remote attackers to execute arbitrary code.
Severity CVSS v4.0: Pending analysis
Last modification:
16/08/2023

CVE-2020-24950
Publication date:
11/08/2023
SQL Injection vulnerability in file Base_module_model.php in Daylight Studio FUEL-CMS version 1.4.9, allows remote attackers to execute arbitrary code via the col parameter to function list_items.
Severity CVSS v4.0: Pending analysis
Last modification:
16/08/2023

CVE-2020-19952
Publication date:
11/08/2023
Cross Site Scripting (XSS) vulnerability in Rendering Engine in jbt Markdown Editor thru commit 2252418c27dffbb35147acd8ed324822b8919477, allows remote attackers to execute arbirary code via crafted payload or opening malicious .md file.
Severity CVSS v4.0: Pending analysis
Last modification:
18/08/2023

CVE-2023-39417
Publication date:
11/08/2023
IN THE EXTENSION SCRIPT, a SQL Injection vulnerability was found in PostgreSQL if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct (dollar quoting, '', or ""). If an administrator has installed files of a vulnerable, trusted, non-bundled extension, an attacker with database-level CREATE privilege can execute arbitrary code as the bootstrap superuser.
Severity CVSS v4.0: Pending analysis
Last modification:
09/09/2024

CVE-2023-39418
Publication date:
11/08/2023
A vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid some rows that INSERT policies do not forbid, a user could store such rows.
Severity CVSS v4.0: Pending analysis
Last modification:
06/12/2024

CVE-2022-3403
Publication date:
11/08/2023
Rejected reason: Duplicate, please use CVE-2023-28931 instead.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2023-3864
Publication date:
11/08/2023
Blind SQL injection in a service running in Snow Software license manager from version 8.0.0 up to and including 9.30.1 on Windows allows a logged in user with high privileges to inject SQL commands via the web portal.
Severity CVSS v4.0: Pending analysis
Last modification:
18/08/2023

CVE-2023-3937
Publication date:
11/08/2023
Cross site scripting vulnerability in web portal in Snow Software License Manager from version 9.0.0 up to and including 9.30.1 on Windows allows an authenticated user with high privileges to trigger cross site scripting attack via the web browser
Severity CVSS v4.0: Pending analysis
Last modification:
18/08/2023

CVE-2023-39553
Publication date:
11/08/2023
Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Drill Provider.<br /> <br /> Apache Airflow Drill Provider is affected by a vulnerability that allows an attacker to pass in malicious parameters when establishing a connection with DrillHook giving an opportunity to read files on the Airflow server.<br /> This issue affects Apache Airflow Drill Provider: before 2.4.3.<br /> It is recommended to upgrade to a version that is not affected.
Severity CVSS v4.0: Pending analysis
Last modification:
13/02/2025

CVE-2023-4108
Publication date:
11/08/2023
Mattermost fails to sanitize post metadata during audit logging resulting in permalinks contents being logged<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
15/08/2023
Subscribe to Vulnerabilities