Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-28484
Publication date:
24/04/2023
In libxml2 before 2.10.4, parsing of certain invalid XSD schemas can lead to a NULL pointer dereference and subsequently a segfault. This occurs in xmlSchemaFixupComplexType in xmlschemas.c.
Severity CVSS v4.0: Pending analysis
Last modification:
30/05/2025

CVE-2023-29469
Publication date:
24/04/2023
An issue was discovered in libxml2 before 2.10.4. When hashing empty dict strings in a crafted XML document, xmlDictComputeFastKey in dict.c can produce non-deterministic values, leading to various logic and memory errors, such as a double free. This behavior occurs because there is an attempt to use the first byte of an empty string, and any value is possible (not solely the '\0' value).
Severity CVSS v4.0: Pending analysis
Last modification:
04/02/2025

CVE-2023-2260
Publication date:
24/04/2023
Authorization Bypass Through User-Controlled Key in GitHub repository alfio-event/alf.io prior to 2.0-M4-2304.
Severity CVSS v4.0: Pending analysis
Last modification:
10/05/2023

CVE-2022-28354
Publication date:
24/04/2023
In the Active Threads Plugin 1.3.0 for MyBB, the activethreads.php date parameter is vulnerable to XSS when setting a time period.
Severity CVSS v4.0: Pending analysis
Last modification:
04/02/2025

CVE-2023-2259
Publication date:
24/04/2023
Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository alfio-event/alf.io prior to 2.0-M4-2304.
Severity CVSS v4.0: Pending analysis
Last modification:
03/05/2023

CVE-2023-2258
Publication date:
24/04/2023
Improper Neutralization of Formula Elements in a CSV File in GitHub repository alfio-event/alf.io prior to 2.0-M4-2304.
Severity CVSS v4.0: Pending analysis
Last modification:
03/05/2023

CVE-2023-30627
Publication date:
24/04/2023
jellyfin-web is the web client for Jellyfin, a free-software media system. Starting in version 10.1.0 and prior to version 10.8.10, a stored cross-site scripting vulnerability in device.js can be used to make arbitrary calls to the `REST` endpoints with admin privileges. When combined with CVE-2023-30626, this results in remote code execution on the Jellyfin instance in the context of the user who's running it. This issue is patched in version 10.8.10. There are no known workarounds.
Severity CVSS v4.0: Pending analysis
Last modification:
04/05/2023

CVE-2023-30626
Publication date:
24/04/2023
Jellyfin is a free-software media system. Versions starting with 10.8.0 and prior to 10.8.10 and prior have a directory traversal vulnerability inside the `ClientLogController`, specifically `/ClientLog/Document`. When combined with a cross-site scripting vulnerability (CVE-2023-30627), this can result in file write and arbitrary code execution. Version 10.8.10 has a patch for this issue. There are no known workarounds.
Severity CVSS v4.0: Pending analysis
Last modification:
04/05/2023

CVE-2023-2019
Publication date:
24/04/2023
A flaw was found in the Linux kernel's netdevsim device driver, within the scheduling of events. This issue results from the improper management of a reference count. This may allow an attacker to create a denial of service condition on the system.
Severity CVSS v4.0: Pending analysis
Last modification:
18/03/2025

CVE-2023-2250
Publication date:
24/04/2023
A flaw was found in the Open Cluster Management (OCM) when a user have access to the worker nodes which has the cluster-manager-registration-controller or cluster-manager deployments. A malicious user can take advantage of this and bind the cluster-admin to any service account or using the service account to list all secrets for all kubernetes namespaces, leading into a cluster-level privilege escalation.
Severity CVSS v4.0: Pending analysis
Last modification:
04/02/2025

CVE-2023-29530
Publication date:
24/04/2023
Laminas Diactoros provides PSR HTTP Message implementations. In versions 2.18.0 and prior, 2.19.0, 2.20.0, 2.21.0, 2.22.0, 2.23.0, 2.24.0, and 2.25.0, users who create HTTP requests or responses using laminas/laminas-diactoros, when providing a newline at the start or end of a header key or value, can cause an invalid message. This can lead to denial of service vectors or application errors. The problem has been patched in following versions 2.18.1, 2.19.1, 2.20.1, 2.21.1, 2.22.1, 2.23.1, 2.24.1, and 2.25.1. As a workaround, validate HTTP header keys and/or values, and if using user-supplied values, filter them to strip off leading or trailing newline characters before calling `withHeader()`.
Severity CVSS v4.0: Pending analysis
Last modification:
05/05/2023

CVE-2023-1414
Publication date:
24/04/2023
The WP VR WordPress plugin before 8.3.0 does not have authorisation and CSRF checks in various AJAX actions, one in particular could allow any authenticated users, such as subscriber to update arbitrary tours
Severity CVSS v4.0: Pending analysis
Last modification:
04/02/2025
Subscribe to Vulnerabilities