Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-46919
Publication date:
27/12/2023
Phlox com.phlox.simpleserver (aka Simple HTTP Server) 1.8 and com.phlox.simpleserver.plus (aka Simple HTTP Server PLUS) 1.8.1-plus have a hardcoded aKySWb2jjrr4dzkYXczKRt7K (AES) encryption key. An attacker with physical access to the application's source code or binary can extract this key & use it decrypt the TLS secret.
Severity CVSS v4.0: Pending analysis
Last modification:
01/10/2024

CVE-2023-47882
Publication date:
27/12/2023
The Kami Vision YI IoT com.yunyi.smartcamera application through 4.1.9_20231127 for Android allows a remote attacker to execute arbitrary JavaScript code via an implicit intent to the com.ants360.yicamera.activity.WebViewActivity component.
Severity CVSS v4.0: Pending analysis
Last modification:
09/01/2024

CVE-2023-47883
Publication date:
27/12/2023
The com.altamirano.fabricio.tvbrowser TV browser application through 4.5.1 for Android is vulnerable to JavaScript code execution via an explicit intent due to an exposed MainActivity.
Severity CVSS v4.0: Pending analysis
Last modification:
09/01/2024

CVE-2023-51074
Publication date:
27/12/2023
json-path v2.8.0 was discovered to contain a stack overflow via the Criteria.parse() method.
Severity CVSS v4.0: Pending analysis
Last modification:
11/01/2024

CVE-2023-51079
Publication date:
27/12/2023
A long execution time can occur in the ParseTools.subCompileExpression method in MVEL 2.5.0.Final because of many Java class lookups. NOTE: the vendor disputes this because "the only thing that you could expect is that the parser will take a crazy amount of time to complete its task."
Severity CVSS v4.0: Pending analysis
Last modification:
02/08/2024

CVE-2023-51080
Publication date:
27/12/2023
The NumberUtil.toBigDecimal method in hutool-core v5.8.23 was discovered to contain a stack overflow.
Severity CVSS v4.0: Pending analysis
Last modification:
04/01/2024

CVE-2023-51084
Publication date:
27/12/2023
hyavijava v6.0.07.1 was discovered to contain a stack overflow via the ResultConverter.convert2Xml method.
Severity CVSS v4.0: Pending analysis
Last modification:
11/09/2024

CVE-2023-51075
Publication date:
27/12/2023
hutool-core v5.8.23 was discovered to contain an infinite loop in the StrSplitter.splitByRegex function. This vulnerability allows attackers to cause a Denial of Service (DoS) via manipulation of the first two parameters.
Severity CVSS v4.0: Pending analysis
Last modification:
17/04/2025

CVE-2023-43481
Publication date:
27/12/2023
An issue in Shenzhen TCL Browser TV Web BrowseHere (aka com.tcl.browser) 6.65.022_dab24cc6_231221_gp allows a remote attacker to execute arbitrary JavaScript code via the com.tcl.browser.portal.browse.activity.BrowsePageActivity component.
Severity CVSS v4.0: Pending analysis
Last modification:
27/08/2024

CVE-2023-40038
Publication date:
27/12/2023
Arris DG860A and DG1670A devices have predictable default WPA2 PSKs that could lead to unauthorized remote access. (They use the first 6 characters of the SSID and the last 6 characters of the BSSID, decrementing the last digit.)
Severity CVSS v4.0: Pending analysis
Last modification:
04/01/2024

CVE-2023-52075
Publication date:
27/12/2023
ReVanced API proxies requests needed to feed the ReVanced Manager and website with data. Up to and including commit 71f81f7f20cd26fd707335bca9838fa3e7df20d2, ReVanced API lacks error caching causing rate limit to be triggered thus increasing server load. This causes a denial of service for all users using the API. It is recommended to implement proper error caching.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
04/01/2024

CVE-2023-52077
Publication date:
27/12/2023
Nexkey is a lightweight fork of Misskey v12 optimized for small to medium size servers. Prior to 12.23Q4.5, Nexkey allows external apps using tokens issued by administrators and moderators to call admin APIs. This allows malicious third-party apps to perform operations such as updating server settings, as well as compromise object storage and email server credentials. This issue has been patched in 12.23Q4.5.
Severity CVSS v4.0: Pending analysis
Last modification:
04/01/2024
Subscribe to Vulnerabilities