Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-5126
Publication date:
25/10/2023
The Delete Me plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'plugin_delete_me' shortcode in versions up to, and including, 3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The shortcode is not displayed to administrators, so it cannot be used against administrator users.
Severity CVSS v4.0: Pending analysis
Last modification:
08/04/2026

CVE-2023-5127
Publication date:
25/10/2023
The WP Font Awesome plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 1.7.9 due to insufficient input sanitization and output escaping on 'icon' user supplied attribute. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
08/04/2026

CVE-2023-4606
Publication date:
25/10/2023
An authenticated XCC user with Read-Only permission can change a different user’s password through a crafted API command.  <br /> <br /> This affects ThinkSystem v2 and v3 servers with XCC; ThinkSystem v1 servers are not affected.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2023-4607
Publication date:
25/10/2023
An authenticated XCC user can change permissions for any user through a crafted API command.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2023-4608
Publication date:
25/10/2023
An authenticated XCC user with elevated privileges can perform blind SQL injection in limited cases through a crafted API command. <br /> <br /> This affects ThinkSystem v2 and v3 servers with XCC; ThinkSystem v1 servers are not affected.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2023-4692
Publication date:
25/10/2023
An out-of-bounds write flaw was found in grub2&amp;#39;s NTFS filesystem driver. This issue may allow an attacker to present a specially crafted NTFS filesystem image, leading to grub&amp;#39;s heap metadata corruption. In some circumstances, the attack may also corrupt the UEFI firmware heap metadata. As a result, arbitrary code execution and secure boot protection bypass may be achieved.
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2025

CVE-2023-4693
Publication date:
25/10/2023
An out-of-bounds read flaw was found on grub2&amp;#39;s NTFS filesystem driver. This issue may allow a physically present attacker to present a specially crafted NTFS file system image to read arbitrary memory locations. A successful attack allows sensitive data cached in memory or EFI variable values to be leaked, presenting a high Confidentiality risk.
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2025

CVE-2023-46652
Publication date:
25/10/2023
A missing permission check in Jenkins lambdatest-automation Plugin 1.20.9 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of LAMBDATEST credentials stored in Jenkins.
Severity CVSS v4.0: Pending analysis
Last modification:
01/11/2023

CVE-2023-46653
Publication date:
25/10/2023
Jenkins lambdatest-automation Plugin 1.20.10 and earlier logs LAMBDATEST Credentials access token at the INFO level, potentially resulting in its exposure.
Severity CVSS v4.0: Pending analysis
Last modification:
01/11/2023

CVE-2023-46654
Publication date:
25/10/2023
Jenkins CloudBees CD Plugin 1.1.32 and earlier follows symbolic links to locations outside of the expected directory during the cleanup process of the &amp;#39;CloudBees CD - Publish Artifact&amp;#39; post-build step, allowing attackers able to configure jobs to delete arbitrary files on the Jenkins controller file system.
Severity CVSS v4.0: Pending analysis
Last modification:
01/11/2023

CVE-2023-46655
Publication date:
25/10/2023
Jenkins CloudBees CD Plugin 1.1.32 and earlier follows symbolic links to locations outside of the directory from which artifacts are published during the &amp;#39;CloudBees CD - Publish Artifact&amp;#39; post-build step, allowing attackers able to configure jobs to publish arbitrary files from the Jenkins controller file system to the previously configured CloudBees CD server.
Severity CVSS v4.0: Pending analysis
Last modification:
01/11/2023

CVE-2023-46656
Publication date:
25/10/2023
Jenkins Multibranch Scan Webhook Trigger Plugin 1.0.9 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token.
Severity CVSS v4.0: Pending analysis
Last modification:
01/11/2023
Subscribe to Vulnerabilities