Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-0819
Publication date:
13/02/2023
Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to v2.3.0-DEV.
Severity CVSS v4.0: Pending analysis
Last modification:
27/05/2023

CVE-2015-10079
Publication date:
13/02/2023
A vulnerability was found in juju2143 WalrusIRC 0.0.2. It has been rated as problematic. This issue affects the function parseLinks of the file public/parser.js. The manipulation of the argument text leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 0.0.3 is able to address this issue. The patch is named 45fd885895ae13e8d9b3a71e89d59768914f60af. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-220751.
Severity CVSS v4.0: Pending analysis
Last modification:
17/05/2024

CVE-2023-25572
Publication date:
13/02/2023
react-admin is a frontend framework for building browser applications on top of REST/GraphQL APIs. react-admin prior to versions 3.19.12 and 4.7.6, along with ra-ui-materialui prior to 3.19.12 and 4.7.6, are vulnerable to cross-site scripting. All React applications built with react-admin and using the `` are affected. `` outputs the field value using `dangerouslySetInnerHTML` without client-side sanitization. If the data isn&amp;#39;t sanitized server-side, this opens a possible cross-site scripting (XSS) attack. Versions 3.19.12 and 4.7.6 now use `DOMPurify` to escape the HTML before outputting it with React and `dangerouslySetInnerHTML`. Users who already sanitize HTML data server-side do not need to upgrade. As a workaround, users may replace the `` by a custom field doing sanitization by hand.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2023-25241
Publication date:
13/02/2023
bgERP v22.31 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the Search parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
21/03/2025

CVE-2023-25240
Publication date:
13/02/2023
An improper SameSite Attribute vulnerability in pimCore v10.5.15 allows attackers to execute arbitrary code.
Severity CVSS v4.0: Pending analysis
Last modification:
21/03/2025

CVE-2023-25162
Publication date:
13/02/2023
Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server prior to 24.0.8 and 23.0.12 and Nextcloud Enterprise server prior to 24.0.8 and 23.0.12 are vulnerable to server-side request forgery (SSRF). Attackers can leverage enclosed alphanumeric payloads to bypass IP filters and gain SSRF, which would allow an attacker to read crucial metadata if the server is hosted on the AWS platform. Nextcloud Server 24.0.8 and 23.0.2 and Nextcloud Enterprise Server 24.0.8 and 23.0.12 contain a patch for this issue. No known workarounds are available.
Severity CVSS v4.0: Pending analysis
Last modification:
23/02/2023

CVE-2023-24086
Publication date:
13/02/2023
SLIMS v9.5.2 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /customs/loan_by_class.php?reportView.
Severity CVSS v4.0: Pending analysis
Last modification:
21/03/2025

CVE-2023-24084
Publication date:
13/02/2023
ChiKoi v1.0 was discovered to contain a SQL injection vulnerability via the load_file function.
Severity CVSS v4.0: Pending analysis
Last modification:
21/03/2025

CVE-2023-24648
Publication date:
13/02/2023
Zstore v6.6.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /index.php.
Severity CVSS v4.0: Pending analysis
Last modification:
21/03/2025

CVE-2023-25160
Publication date:
13/02/2023
Nextcloud Mail is an email app for the Nextcloud home server platform. Prior to versions 2.2.1, 1.14.5, 1.12.9, and 1.11.8, an attacker can access the mail box by ID getting the subjects and the first characters of the emails. Users should upgrade to Mail 2.2.1 for Nextcloud 25, Mail 1.14.5 for Nextcloud 22-24, Mail 1.12.9 for Nextcloud 21, or Mail 1.11.8 for Nextcloud 20 to receive a patch. No known workarounds are available.
Severity CVSS v4.0: Pending analysis
Last modification:
22/02/2023

CVE-2023-25161
Publication date:
13/02/2023
Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server and Nextcloud Enterprise Server prior to versions 25.0.1 24.0.8, and 23.0.12 missing rate limiting on password reset functionality. This could result in service slowdown, storage overflow, or cost impact when using external email services. Users should upgrade to Nextcloud Server 25.0.1, 24.0.8, or 23.0.12 or Nextcloud Enterprise Server 25.0.1, 24.0.8, or 23.0.12 to receive a patch. No known workarounds are available.
Severity CVSS v4.0: Pending analysis
Last modification:
23/02/2023

CVE-2023-24646
Publication date:
13/02/2023
An arbitrary file upload vulnerability in the component /fos/admin/ajax.php of Food Ordering System v2.0 allows attackers to execute arbitrary code via a crafted PHP file.
Severity CVSS v4.0: Pending analysis
Last modification:
30/03/2026
Subscribe to Vulnerabilities