Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-2815
Publication date:
14/01/2023
Insecure Storage of Sensitive Information in GitHub repository publify/publify prior to 9.2.10.
Severity CVSS v4.0: Pending analysis
Last modification:
20/01/2023

CVE-2022-1812
Publication date:
14/01/2023
Integer Overflow or Wraparound in GitHub repository publify/publify prior to 9.2.10.
Severity CVSS v4.0: Pending analysis
Last modification:
23/01/2023

CVE-2022-38467
Publication date:
14/01/2023
Reflected Cross-Site Scripting (XSS) vulnerability in CRM Perks Forms – WordPress Form Builder
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-45353
Publication date:
14/01/2023
Broken Access Control in Betheme theme
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2023-22602
Publication date:
14/01/2023
When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass.<br /> <br /> The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2023-0298
Publication date:
14/01/2023
Incorrect Authorization in GitHub repository firefly-iii/firefly-iii prior to 5.8.0.
Severity CVSS v4.0: Pending analysis
Last modification:
02/03/2023

CVE-2023-0297
Publication date:
14/01/2023
Code Injection in GitHub repository pyload/pyload prior to 0.5.0b3.dev31.
Severity CVSS v4.0: Pending analysis
Last modification:
15/06/2023

CVE-2023-22851
Publication date:
14/01/2023
Tiki before 24.2 allows lib/importer/tikiimporter_blog_wordpress.php PHP Object Injection by an admin because of an unserialize call.
Severity CVSS v4.0: Pending analysis
Last modification:
04/04/2025

CVE-2023-22850
Publication date:
14/01/2023
Tiki before 24.1, when the Spreadsheets feature is enabled, allows lib/sheet/grid.php PHP Object Injection because of an unserialize call.
Severity CVSS v4.0: Pending analysis
Last modification:
07/04/2025

CVE-2023-22497
Publication date:
14/01/2023
Netdata is an open source option for real-time infrastructure monitoring and troubleshooting. Each Netdata Agent has an automatically generated MACHINE GUID. It is generated when the agent first starts and it is saved to disk, so that it will persist across restarts and reboots. Anyone who has access to a Netdata Agent has access to its MACHINE_GUID. Streaming is a feature that allows a Netdata Agent to act as parent for other Netdata Agents (children), offloading children from various functions (increased data retention, ML, health monitoring, etc) that can now be handled by the parent Agent. Configuration is done via `stream.conf`. On the parent side, users configure in `stream.conf` an API key (any random UUID can do) to provide common configuration for all children using this API key and per MACHINE GUID configuration to customize the configuration for each child. The way this was implemented, allowed an attacker to use a valid MACHINE_GUID as an API key. This affects all users who expose their Netdata Agents (children) to non-trusted users and they also expose to the same users Netdata Agent parents that aggregate data from all these children. The problem has been fixed in: Netdata agent v1.37 (stable) and Netdata agent v1.36.0-409 (nightly). As a workaround, do not enable streaming by default. If you have previously enabled this, it can be disabled. Limiting access to the port on the recipient Agent to trusted child connections may mitigate the impact of this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
24/01/2023

CVE-2022-38287
Publication date:
14/01/2023
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2023-22852
Publication date:
14/01/2023
Tiki through 25.0 allows CSRF attacks that are related to tiki-importer.php and tiki-import_sheet.php.
Severity CVSS v4.0: Pending analysis
Last modification:
07/04/2025
Subscribe to Vulnerabilities