Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-5009
Publication date:
19/09/2023
An issue has been discovered in GitLab EE affecting all versions starting from 13.12 before 16.2.7, all versions starting from 16.3 before 16.3.4. It was possible for an attacker to run pipeline jobs as an arbitrary user via scheduled security scan policies. This was a bypass of [CVE-2023-3932](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3932) showing additional impact.
Severity CVSS v4.0: Pending analysis
Last modification:
03/10/2024

CVE-2023-5054
Publication date:
19/09/2023
The Super Store Finder plugin for WordPress is vulnerable to unauthenticated arbitrary email creation and relay in versions up to, and including, 6.9.3. This is due to insufficient restrictions on the sendMail.php file that allows direct access. This makes it possible for unauthenticated attackers to send emails utilizing the vulnerable site's server, with arbitrary content. Please note that this vulnerability has already been publicly disclosed with an exploit which is why we are publishing the details without a patch available, we are attempting to initiate contact with the developer.
Severity CVSS v4.0: Pending analysis
Last modification:
08/04/2026

CVE-2023-26143
Publication date:
19/09/2023
Versions of the package blamer before 1.0.4 are vulnerable to Arbitrary Argument Injection via the blameByFile() API. The library does not sanitize for user input or validate the given file path conforms to a specific schema, nor does it properly pass command-line flags to the git binary using the double-dash POSIX characters (--) to communicate the end of options.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2023-42399
Publication date:
19/09/2023
Cross Site Scripting vulnerability in xdsoft.net Jodit Editor v.4.0.0-beta.86 allows a remote attacker to obtain sensitive information via the rich text editor component.
Severity CVSS v4.0: Pending analysis
Last modification:
21/09/2023

CVE-2023-5060
Publication date:
19/09/2023
Cross-site Scripting (XSS) - DOM in GitHub repository librenms/librenms prior to 23.9.1.
Severity CVSS v4.0: Pending analysis
Last modification:
19/09/2023

CVE-2023-41599
Publication date:
19/09/2023
An issue in the component /common/DownController.java of JFinalCMS v5.0.0 allows attackers to execute a directory traversal.
Severity CVSS v4.0: Pending analysis
Last modification:
19/09/2023

CVE-2022-28357
Publication date:
19/09/2023
NATS nats-server 2.2.0 through 2.7.4 allows directory traversal because of an unintended path to a management action from a management account.
Severity CVSS v4.0: Pending analysis
Last modification:
19/09/2023

CVE-2023-40788
Publication date:
19/09/2023
SpringBlade
Severity CVSS v4.0: Pending analysis
Last modification:
19/09/2023

CVE-2021-26837
Publication date:
19/09/2023
SQL Injection vulnerability in SearchTextBox parameter in Fortra (Formerly HelpSystems) DeliverNow before version 1.2.18, allows attackers to execute arbitrary code, escalate privileges, and gain sensitive information.
Severity CVSS v4.0: Pending analysis
Last modification:
20/09/2023

CVE-2023-41443
Publication date:
18/09/2023
SQL injection vulnerability in Novel-Plus v.4.1.0 allows a remote attacker to execute arbitrary code via a crafted script to the sort parameter in /sys/menu/list.
Severity CVSS v4.0: Pending analysis
Last modification:
20/09/2023

CVE-2023-42446
Publication date:
18/09/2023
Pow is a authentication and user management solution for Phoenix and Plug-based apps. Starting in version 1.0.14 and prior to version 1.0.34, use of `Pow.Store.Backend.MnesiaCache` is susceptible to session hijacking as expired keys are not being invalidated correctly on startup. A session may expire when all `Pow.Store.Backend.MnesiaCache` instances have been shut down for a period that is longer than a session's remaining TTL. Version 1.0.34 contains a patch for this issue. As a workaround, expired keys, including all expired sessions, can be manually invalidated.
Severity CVSS v4.0: Pending analysis
Last modification:
22/09/2023

CVE-2023-42454
Publication date:
18/09/2023
SQLpage is a SQL-only webapp builder. Someone using SQLpage versions prior to 0.11.1, whose SQLpage instance is exposed publicly, with a database connection string specified in the `sqlpage/sqlpage.json` configuration file (not in an environment variable), with the web_root is the current working directory (the default), and with their database exposed publicly, is vulnerable to an attacker retrieving database connection information from SQLPage and using it to connect to their database directly. Version 0.11.0 fixes this issue. Some workarounds are available. Using an environment variable instead of the configuration file to specify the database connection string prevents exposing it on vulnerable versions. Using a different web root (that is not a parent of the SQLPage configuration directory) fixes the issue. One should also avoid exposing one's database publicly.
Severity CVSS v4.0: Pending analysis
Last modification:
20/09/2023
Subscribe to Vulnerabilities