Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-28321
Publication date:
26/05/2023
An improper certificate validation vulnerability exists in curl
Severity CVSS v4.0: Pending analysis
Last modification:
15/01/2025

CVE-2023-28322
Publication date:
26/05/2023
An information disclosure vulnerability exists in curl
Severity CVSS v4.0: Pending analysis
Last modification:
13/02/2026

CVE-2023-28320
Publication date:
26/05/2023
A denial of service vulnerability exists in curl
Severity CVSS v4.0: Pending analysis
Last modification:
15/01/2025

CVE-2023-28319
Publication date:
26/05/2023
A use after free vulnerability exists in curl
Severity CVSS v4.0: Pending analysis
Last modification:
15/01/2025

CVE-2023-33247
Publication date:
26/05/2023
Talend Data Catalog remote harvesting server before 8.0-20230413 contains a /upgrade endpoint that allows an unauthenticated WAR file to be deployed on the server. (A mitigation is that the remote harvesting server should be behind a firewall that only allows access to the Talend Data Catalog server.)
Severity CVSS v4.0: Pending analysis
Last modification:
16/01/2025

CVE-2023-33255
Publication date:
26/05/2023
An issue was discovered in Papaya Viewer 1.0.1449. User-supplied input in form of DICOM or NIFTI images can be loaded into the Papaya web application without any kind of sanitization. This allows injection of arbitrary JavaScript code into image metadata, which is executed when that metadata is displayed in the Papaya web application.
Severity CVSS v4.0: Pending analysis
Last modification:
15/01/2025

CVE-2023-33197
Publication date:
26/05/2023
Craft is a CMS for creating custom digital experiences on the web. Cross-site scripting (XSS) can be triggered via the Update Asset Index utility. This issue has been patched in version 4.4.6.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
01/06/2023

CVE-2023-32681
Publication date:
26/05/2023
Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.
Severity CVSS v4.0: Pending analysis
Last modification:
13/02/2025

CVE-2023-32318
Publication date:
26/05/2023
Nextcloud server provides a home for data. A regression in the session handling between Nextcloud Server and the Nextcloud Text app prevented a correct destruction of the session on logout if cookies were not cleared manually. After successfully authenticating with any other account the previous session would be continued and the attacker would be authenticated as the previously logged in user. It is recommended that the Nextcloud Server is upgraded to 25.0.6 or 26.0.1.
Severity CVSS v4.0: Pending analysis
Last modification:
02/06/2023

CVE-2023-22970
Publication date:
26/05/2023
Bottles before 51.0 mishandles YAML load, which allows remote code execution via a crafted file.
Severity CVSS v4.0: Pending analysis
Last modification:
15/01/2025

CVE-2023-2283
Publication date:
26/05/2023
A vulnerability was found in libssh, where the authentication check of the connecting client can be bypassed in the`pki_verify_data_signature` function in memory allocation problems. This issue may happen if there is insufficient memory or the memory usage is limited. The problem is caused by the return value `rc,` which is initialized to SSH_ERROR and later rewritten to save the return value of the function call `pki_key_check_hash_compatible.` The value of the variable is not changed between this point and the cryptographic verification. Therefore any error between them calls `goto error` returning SSH_OK.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2023-20868
Publication date:
26/05/2023
NSX-T contains a reflected cross-site scripting vulnerability due to a lack of input validation. A remote attacker can inject HTML or JavaScript to redirect to malicious pages.
Severity CVSS v4.0: Pending analysis
Last modification:
13/08/2025
Subscribe to Vulnerabilities