Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-42504

Publication date:
28/11/2023
An authenticated malicious user could initiate multiple concurrent requests, each requesting multiple dashboard exports, leading to a possible denial of service.<br /> <br /> This issue affects Apache Superset: before 3.0.0
Severity CVSS v4.0: Pending analysis
Last modification:
13/02/2025

CVE-2023-40056

Publication date:
28/11/2023
<br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> SQL Injection Remote Code Vulnerability was found in the SolarWinds<br /> Platform. This vulnerability can be exploited with a low privileged account. <br /> <br /> <br /> <br /> <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
04/12/2023

CVE-2023-42505

Publication date:
28/11/2023
An authenticated user with read permissions on database connections metadata could potentially access sensitive information such as the connection&amp;#39;s username.<br /> <br /> This issue affects Apache Superset before 3.0.0.
Severity CVSS v4.0: Pending analysis
Last modification:
13/02/2025

CVE-2023-45286

Publication date:
28/11/2023
A race condition in go-resty can result in HTTP request body disclosure across requests. This condition can be triggered by calling sync.Pool.Put with the same *bytes.Buffer more than once, when request retries are enabled and a retry occurs. The call to sync.Pool.Get will then return a bytes.Buffer that hasn&amp;#39;t had bytes.Buffer.Reset called on it. This dirty buffer will contain the HTTP request body from an unrelated request, and go-resty will append the current HTTP request body to it, sending two bodies in one request. The sync.Pool in question is defined at package level scope, so a completely unrelated server could receive the request body.
Severity CVSS v4.0: Pending analysis
Last modification:
04/01/2024

CVE-2023-48848

Publication date:
28/11/2023
An arbitrary file read vulnerability in ureport v2.2.9 allows a remote attacker to arbitrarily read files on the server by inserting a crafted path.
Severity CVSS v4.0: Pending analysis
Last modification:
15/10/2024

CVE-2023-41264

Publication date:
28/11/2023
Netwrix Usercube before 6.0.215, in certain misconfigured on-premises installations, allows authentication bypass on deployment endpoints, leading to privilege escalation. This only occurs if the configuration omits the required restSettings.AuthorizedClientId and restSettings.AuthorizedSecret fields (for the POST /api/Deployment/ExportConfiguration and POST /api/Deployment endpoints).
Severity CVSS v4.0: Pending analysis
Last modification:
01/08/2024

CVE-2023-42502

Publication date:
28/11/2023
An authenticated attacker with update datasets permission could change a dataset link to an untrusted site by spoofing the HTTP Host header, users could be redirected to this site when clicking on that specific dataset. This issue affects Apache Superset versions before 3.0.0.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
04/12/2023

CVE-2023-49062

Publication date:
28/11/2023
Katran could disclose non-initialized kernel memory as part of an IP header. The issue was present for IPv4 encapsulation and ICMP (v4) Too Big packet generation. After a bpf_xdp_adjust_head call, Katran code didn’t initialize the Identification field for the IPv4 header, resulting in writing content of kernel memory in that field of IP header. The issue affected all Katran versions prior to commit 6a03106ac1eab39d0303662963589ecb2374c97f
Severity CVSS v4.0: Pending analysis
Last modification:
04/12/2023

CVE-2022-41678

Publication date:
28/11/2023
Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution. <br /> <br /> In details, in ActiveMQ configurations, jetty allows<br /> org.jolokia.http.AgentServlet to handler request to /api/jolokia<br /> <br /> org.jolokia.http.HttpRequestHandler#handlePostRequest is able to<br /> create JmxRequest through JSONObject. And calls to<br /> org.jolokia.http.HttpRequestHandler#executeRequest.<br /> <br /> Into deeper calling stacks,<br /> org.jolokia.handler.ExecHandler#doHandleRequest can be invoked<br /> through refection. This could lead to RCE through via<br /> various mbeans. One example is unrestricted deserialization in jdk.management.jfr.FlightRecorderMXBeanImpl which exists on Java version above 11.<br /> <br /> 1 Call newRecording.<br /> <br /> 2 Call setConfiguration. And a webshell data hides in it.<br /> <br /> 3 Call startRecording.<br /> <br /> 4 Call copyTo method. The webshell will be written to a .jsp file.<br /> <br /> The mitigation is to restrict (by default) the actions authorized on Jolokia, or disable Jolokia.<br /> A more restrictive Jolokia configuration has been defined in default ActiveMQ distribution. We encourage users to upgrade to ActiveMQ distributions version including updated Jolokia configuration: 5.16.6, 5.17.4, 5.18.0, 6.0.0.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2023-46589

Publication date:
28/11/2023
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single <br /> request as multiple requests leading to the possibility of request <br /> smuggling when behind a reverse proxy.<br /> <br /> <br /> Older, EOL versions may also be affected.<br /> <br /> <br /> Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
07/08/2025

CVE-2023-49313

Publication date:
28/11/2023
A dylib injection vulnerability in XMachOViewer 0.04 allows attackers to compromise integrity. By exploiting this, unauthorized code can be injected into the product&amp;#39;s processes, potentially leading to remote control and unauthorized access to sensitive user data.
Severity CVSS v4.0: Pending analysis
Last modification:
04/12/2023

CVE-2023-49314

Publication date:
28/11/2023
Asana Desktop 2.1.0 on macOS allows code injection because of specific Electron Fuses. There is inadequate protection against code injection through settings such as RunAsNode and EnableNodeCliInspectArguments, and thus r3ggi/electroniz3r can be used to perform an attack.
Severity CVSS v4.0: Pending analysis
Last modification:
16/02/2024