Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-5671

Publication date:
25/10/2023
HP Print and Scan Doctor for Windows may potentially be vulnerable to escalation of privilege. HP is releasing software updates to mitigate the potential vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
12/09/2024

CVE-2023-5717

Publication date:
25/10/2023
A heap out-of-bounds write vulnerability in the Linux kernel&amp;#39;s Linux Kernel Performance Events (perf) component can be exploited to achieve local privilege escalation.<br /> <br /> If perf_read_group() is called while an event&amp;#39;s sibling_list is smaller than its child&amp;#39;s sibling_list, it can increment or write to memory locations outside of the allocated buffer.<br /> <br /> We recommend upgrading past commit 32671e3799ca2e4590773fd0e63aaa4229e50c06.
Severity CVSS v4.0: Pending analysis
Last modification:
13/02/2025

CVE-2023-5721

Publication date:
25/10/2023
It was possible for certain browser prompts and dialogs to be activated or dismissed unintentionally by the user due to an insufficient activation-delay. This vulnerability affects Firefox
Severity CVSS v4.0: Pending analysis
Last modification:
01/11/2023

CVE-2023-5085

Publication date:
25/10/2023
The Advanced Menu Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via &amp;#39;advMenu&amp;#39; shortcode in versions up to, and including, 0.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
08/04/2026

CVE-2023-5110

Publication date:
25/10/2023
The BSK PDF Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via &amp;#39;bsk-pdfm-category-dropdown&amp;#39; shortcode in versions up to, and including, 3.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
08/04/2026

CVE-2023-5126

Publication date:
25/10/2023
The Delete Me plugin for WordPress is vulnerable to Stored Cross-Site Scripting via &amp;#39;plugin_delete_me&amp;#39; shortcode in versions up to, and including, 3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The shortcode is not displayed to administrators, so it cannot be used against administrator users.
Severity CVSS v4.0: Pending analysis
Last modification:
08/04/2026

CVE-2023-5127

Publication date:
25/10/2023
The WP Font Awesome plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 1.7.9 due to insufficient input sanitization and output escaping on &amp;#39;icon&amp;#39; user supplied attribute. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
08/04/2026

CVE-2023-4606

Publication date:
25/10/2023
An authenticated XCC user with Read-Only permission can change a different user’s password through a crafted API command.  <br /> <br /> This affects ThinkSystem v2 and v3 servers with XCC; ThinkSystem v1 servers are not affected.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2023-4607

Publication date:
25/10/2023
An authenticated XCC user can change permissions for any user through a crafted API command.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2023-4608

Publication date:
25/10/2023
An authenticated XCC user with elevated privileges can perform blind SQL injection in limited cases through a crafted API command. <br /> <br /> This affects ThinkSystem v2 and v3 servers with XCC; ThinkSystem v1 servers are not affected.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2023-4692

Publication date:
25/10/2023
An out-of-bounds write flaw was found in grub2&amp;#39;s NTFS filesystem driver. This issue may allow an attacker to present a specially crafted NTFS filesystem image, leading to grub&amp;#39;s heap metadata corruption. In some circumstances, the attack may also corrupt the UEFI firmware heap metadata. As a result, arbitrary code execution and secure boot protection bypass may be achieved.
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2025

CVE-2023-4693

Publication date:
25/10/2023
An out-of-bounds read flaw was found on grub2&amp;#39;s NTFS filesystem driver. This issue may allow a physically present attacker to present a specially crafted NTFS file system image to read arbitrary memory locations. A successful attack allows sensitive data cached in memory or EFI variable values to be leaked, presenting a high Confidentiality risk.
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2025