Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-36393
Publication date:
06/03/2023
In Moodle, an SQL injection risk was identified in the library fetching a user's recent courses.
Severity CVSS v4.0: Pending analysis
Last modification:
13/03/2023

CVE-2021-36394
Publication date:
06/03/2023
In Moodle, a remote code execution risk was identified in the Shibboleth authentication plugin.
Severity CVSS v4.0: Pending analysis
Last modification:
06/03/2025

CVE-2021-36395
Publication date:
06/03/2023
In Moodle, the file repository's URL parsing required additional recursion handling to mitigate the risk of recursion denial of service.
Severity CVSS v4.0: Pending analysis
Last modification:
07/03/2025

CVE-2021-36396
Publication date:
06/03/2023
In Moodle, insufficient redirect handling made it possible to blindly bypass cURL blocked hosts/allowed ports restrictions, resulting in a blind SSRF risk.
Severity CVSS v4.0: Pending analysis
Last modification:
05/03/2025

CVE-2023-0093
Publication date:
06/03/2023
Okta Advanced Server Access Client versions 1.13.1 through 1.65.0 are vulnerable to command injection due to the third party library webbrowser. An outdated library, webbrowser, used by the ASA client was found to be vulnerable to command injection. To exploit this issue, an attacker would need to phish the user to enter an attacker controlled server URL during enrollment.
Severity CVSS v4.0: Pending analysis
Last modification:
06/03/2025

CVE-2023-1161
Publication date:
06/03/2023
ISO 15765 and ISO 10681 dissector crash in Wireshark 4.0.0 to 4.0.3 and 3.6.0 to 3.6.11 allows denial of service via packet injection or crafted capture file
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2023-24763
Publication date:
06/03/2023
In the module "Xen Forum" (xenforum) for PrestaShop, an authenticated user can perform SQL injection in versions up to 2.13.0.
Severity CVSS v4.0: Pending analysis
Last modification:
07/03/2025

CVE-2023-26600
Publication date:
06/03/2023
ManageEngine ServiceDesk Plus through 14104, ServiceDesk Plus MSP through 14000, Support Center Plus through 14000, and Asset Explorer through 6987 allow privilege escalation via query reports.
Severity CVSS v4.0: Pending analysis
Last modification:
06/03/2025

CVE-2021-35377
Publication date:
06/03/2023
Cross Site Scripting vulnerability found in VICIdial v2.14-610c and v.2.10-415c allows attackers execute arbitrary code via the /agc/vicidial.php, agc/vicidial-greay.php, and /vicidial/KHOMP_admin.php parameters.
Severity CVSS v4.0: Pending analysis
Last modification:
13/03/2023

CVE-2023-24776
Publication date:
06/03/2023
Funadmin v3.2.0 was discovered to contain a remote code execution (RCE) vulnerability via the component \controller\Addon.php.
Severity CVSS v4.0: Pending analysis
Last modification:
06/03/2025

CVE-2023-26054
Publication date:
06/03/2023
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. In affected versions when the user sends a build request that contains a Git URL that contains credentials and the build creates a provenance attestation describing that build, these credentials could be visible from the provenance attestation. Git URL can be passed in two ways: 1) Invoking build directly from a URL with credentials. 2) If the client sends additional version control system (VCS) info hint parameters on builds from a local source. Usually, that would mean reading the origin URL from `.git/config` file. When a build is performed under specific conditions where credentials were passed to BuildKit they may be visible to everyone who has access to provenance attestation. Provenance attestations and VCS info hints were added in version v0.11.0. Previous versions are not vulnerable. In v0.10, when building directly from Git URL, the same URL could be visible in `BuildInfo` structure that is a predecessor of Provenance attestations. Previous versions are not vulnerable. This bug has been fixed in v0.11.4. Users are advised to upgrade. Users unable to upgrade may disable VCS info hints by setting `BUILDX_GIT_INFO=0`. `buildctl` does not set VCS hints based on `.git` directory, and values would need to be passed manually with `--opt`.
Severity CVSS v4.0: Pending analysis
Last modification:
15/09/2023

CVE-2023-27472
Publication date:
06/03/2023
quickentity-editor-next is an open source, system local, video game asset editor. In affected versions HTML tags in entity names are not sanitised (XSS vulnerability). Allows arbitrary code execution within the browser sandbox, among other things, simply from loading a file containing a script tag in any entity name. This issue has been patched in version 1.28.1 of the application. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023
Subscribe to Vulnerabilities