Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-28254
Publication date:
19/04/2023
A deserialization vulnerability in the destruct() function of Laravel v8.5.9 allows attackers to execute arbitrary commands.
Severity CVSS v4.0: Pending analysis
Last modification:
05/03/2025

CVE-2023-27043
Publication date:
19/04/2023
The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.
Severity CVSS v4.0: Pending analysis
Last modification:
17/12/2025

CVE-2023-30606
Publication date:
18/04/2023
Discourse is an open source platform for community discussion. In affected versions a user logged as an administrator can call arbitrary methods on the `SiteSetting` class, notably `#clear_cache!` and `#notify_changed!`, which when done on a multisite instance, can affect the entire cluster resulting in a denial of service. Users not running in multisite environments are not affected. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
28/04/2023

CVE-2023-30538
Publication date:
18/04/2023
Discourse is an open source platform for community discussion. Due to the improper sanitization of SVG files, an attacker can execute arbitrary JavaScript on the users’ browsers by uploading a crafted SVG file. This issue is patched in the latest stable and tests-passed versions of Discourse. Users are advised to upgrade. For users unable to upgrade there are two possible workarounds: enable CDN handing of uploads (and ensure the CDN sanitizes SVG files) or disable SVG file uploads by ensuring that the `authorized extensions` site setting does not include `svg` (or reset that setting to the default, by default Discourse doesn't enable SVG uploads by users).
Severity CVSS v4.0: Pending analysis
Last modification:
28/04/2023

CVE-2023-29410
Publication date:
18/04/2023
<br /> A CWE-20: Improper Input Validation vulnerability exists that could allow an authenticated<br /> attacker to gain the same privilege as the application on the server when a malicious payload is<br /> provided over HTTP for the server to execute. <br /> <br /> <br /> <br /> <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
28/04/2023

CVE-2023-30608
Publication date:
18/04/2023
sqlparse is a non-validating SQL parser module for Python. In affected versions the SQL parser contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). This issue was introduced by commit `e75e358`. The vulnerability may lead to Denial of Service (DoS). This issues has been fixed in sqlparse 0.4.4 by commit `c457abd5f`. Users are advised to upgrade. There are no known workarounds for this issue.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2023-29196
Publication date:
18/04/2023
Discourse is an open source platform for community discussion. This vulnerability is not exploitable on the default install of Discourse. A custom feature must be enabled for it to work at all, and the attacker’s payload must pass the CSP to be executed. However, if an attacker succeeds in embedding Javascript that does pass the CSP, it could result in session hijacking for any users that view the attacker’s post. The vulnerability is patched in the latest tests-passed, beta and stable branches. Users are advised to upgrade. Users unable to upgrade should enable and/or restore your site&amp;#39;s CSP to the default one provided with Discourse. Remove any embed-able hosts configured.
Severity CVSS v4.0: Pending analysis
Last modification:
28/04/2023

CVE-2023-28004
Publication date:
18/04/2023
<br /> <br /> <br /> A CWE-129: Improper validation of an array index vulnerability exists where a specially crafted<br /> Ethernet request could result in denial of service or remote code execution. <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
28/04/2023

CVE-2023-29002
Publication date:
18/04/2023
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. When run in debug mode, Cilium will log the contents of the `cilium-secrets` namespace. This could include data such as TLS private keys for Ingress and GatewayAPI resources. An attacker with access to debug output from the Cilium containers could use the resulting output to intercept and modify traffic to and from the affected cluster. Output of the sensitive information would occur at Cilium agent restart, when secrets in the namespace are modified, and on creation of Ingress or GatewayAPI resources. This vulnerability is fixed in Cilium releases 1.11.16, 1.12.9, and 1.13.2. Users unable to upgrade should disable debug mode.
Severity CVSS v4.0: Pending analysis
Last modification:
04/05/2023

CVE-2023-28856
Publication date:
18/04/2023
Redis is an open source, in-memory database that persists on disk. Authenticated users can use the `HINCRBYFLOAT` command to create an invalid hash field that will crash Redis on access in affected versions. This issue has been addressed in in versions 7.0.11, 6.2.12, and 6.0.19. Users are advised to upgrade. There are no known workarounds for this issue.
Severity CVSS v4.0: Pending analysis
Last modification:
01/06/2023

CVE-2023-29413
Publication date:
18/04/2023
<br /> A CWE-306: Missing Authentication for Critical Function vulnerability exists that could cause<br /> Denial-of-Service when accessed by an unauthenticated user on the Schneider UPS Monitor<br /> service. <br /> <br /> <br /> <br /> <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
28/04/2023

CVE-2023-29412
Publication date:
18/04/2023
CWE-78: Improper Neutralization of Special Elements used in an OS Command (&amp;#39;OS Command<br /> Injection&amp;#39;) vulnerability exists that could cause remote code execution when manipulating<br /> internal methods through Java RMI interface.
Severity CVSS v4.0: Pending analysis
Last modification:
12/06/2024
Subscribe to Vulnerabilities