Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-31134
Publication date:
09/05/2023
Tauri is software for building applications for multi-platform deployment. The Tauri IPC is usually strictly isolated from external websites, but in versions 1.0.0 until 1.0.9, 1.1.0 until 1.1.4, and 1.2.0 until 1.2.5, the isolation can be bypassed by redirecting an existing Tauri window to an external website. This is either possible by an application implementing a feature for users to visit<br /> arbitrary websites or due to a bug allowing the open redirect. This allows the external website access to the IPC layer and therefore to all configured and exposed Tauri API endpoints and application specific implemented Tauri commands. This issue has been patched in versions 1.0.9, 1.1.4, and 1.2.5. As a workaround, prevent arbitrary input in redirect features and/or only allow trusted websites access to the IPC.
Severity CVSS v4.0: Pending analysis
Last modification:
16/05/2023

CVE-2023-29461
Publication date:
09/05/2023
An arbitrary code execution vulnerability contained in Rockwell Automation&amp;#39;s Arena Simulation software was reported that could potentially allow a malicious user to commit unauthorized arbitrary code to the software by using a memory buffer overflow in the heap. <br /> <br /> potentially resulting in a complete loss of confidentiality, integrity, and availability.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
17/12/2024

CVE-2023-29460
Publication date:
09/05/2023
An arbitrary code execution vulnerability contained in Rockwell Automation&amp;#39;s Arena Simulation software was reported that could potentially allow a malicious user to commit unauthorized arbitrary code to the software by using a memory buffer overflow potentially resulting in a complete loss of confidentiality, integrity, and availability.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
17/12/2024

CVE-2023-31976
Publication date:
09/05/2023
libming v0.4.8 was discovered to contain a stack buffer overflow via the function makeswf_preprocess at /util/makeswf_utils.c.
Severity CVSS v4.0: Pending analysis
Last modification:
29/01/2025

CVE-2023-31981
Publication date:
09/05/2023
Sngrep v1.6.0 was discovered to contain a stack buffer overflow via the function packet_set_payload at /src/packet.c.
Severity CVSS v4.0: Pending analysis
Last modification:
29/01/2025

CVE-2023-31982
Publication date:
09/05/2023
Sngrep v1.6.0 was discovered to contain a heap buffer overflow via the function capture_packet_reasm_ip at /src/capture.c.
Severity CVSS v4.0: Pending analysis
Last modification:
28/01/2025

CVE-2023-31136
Publication date:
09/05/2023
PostgresNIO is a Swift client for PostgreSQL. Any user of PostgresNIO prior to version 1.14.2 connecting to servers with TLS enabled is vulnerable to a man-in-the-middle attacker injecting false responses to the client&amp;#39;s first few queries, despite the use of TLS certificate verification and encryption. The vulnerability is addressed in PostgresNIO versions starting from 1.14.2. There are no known workarounds for unpatched users.
Severity CVSS v4.0: Pending analysis
Last modification:
16/05/2023

CVE-2023-29462
Publication date:
09/05/2023
An arbitrary code execution vulnerability contained in Rockwell Automation&amp;#39;s Arena Simulation software was reported that could potentially allow a malicious user to commit unauthorized arbitrary code to the software by using a memory buffer overflow in the heap. <br /> <br /> potentially resulting in a complete loss of confidentiality, integrity, and availability.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
17/12/2024

CVE-2023-31137
Publication date:
09/05/2023
MaraDNS is open-source software that implements the Domain Name System (DNS). In version 3.5.0024 and prior, a remotely exploitable integer underflow vulnerability in the DNS packet decompression function allows an attacker to cause a Denial of Service by triggering an abnormal program termination.<br /> <br /> The vulnerability exists in the `decomp_get_rddata` function within the `Decompress.c` file. When handling a DNS packet with an Answer RR of qtype 16 (TXT record) and any qclass, if the `rdlength` is smaller than `rdata`, the result of the line `Decompress.c:886` is a negative number `len = rdlength - total;`. This value is then passed to the `decomp_append_bytes` function without proper validation, causing the program to attempt to allocate a massive chunk of memory that is impossible to allocate. Consequently, the program exits with an error code of 64, causing a Denial of Service.<br /> <br /> One proposed fix for this vulnerability is to patch `Decompress.c:887` by breaking `if(len
Severity CVSS v4.0: Pending analysis
Last modification:
07/03/2024

CVE-2023-31973
Publication date:
09/05/2023
yasm v1.3.0 was discovered to contain a use after free via the function expand_mmac_params at /nasm/nasm-pp.c. Note: Multiple third parties dispute this as a bug and not a vulnerability according to the YASM security policy.
Severity CVSS v4.0: Pending analysis
Last modification:
02/08/2024

CVE-2023-31979
Publication date:
09/05/2023
Catdoc v0.95 was discovered to contain a global buffer overflow via the function process_file at /src/reader.c.
Severity CVSS v4.0: Pending analysis
Last modification:
18/02/2026

CVE-2023-31126
Publication date:
09/05/2023
`org.xwiki.commons:xwiki-commons-xml` is an XML library used by the open-source wiki platform XWiki. The HTML sanitizer, introduced in version 14.6-rc-1, allows the injection of arbitrary HTML code and thus cross-site scripting via invalid data attributes. This vulnerability does not affect restricted cleaning in HTMLCleaner as there attributes are cleaned and thus characters like `/` and `&gt;` are removed in all attribute names. This problem has been patched in XWiki 14.10.4 and 15.0 RC1 by making sure that data attributes only contain allowed characters. There are no known workarounds apart from upgrading to a version including the fix.
Severity CVSS v4.0: Pending analysis
Last modification:
28/01/2025
Subscribe to Vulnerabilities