Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-22047
Publication date:
04/01/2024
A race condition exists in Audited 4.0.0 to 5.3.3 that can result in an authenticated user to cause audit log entries to be attributed to another user.
Severity CVSS v4.0: Pending analysis
Last modification:
28/11/2025

CVE-2024-22048
Publication date:
04/01/2024
govuk_tech_docs versions from 2.0.2 to before 3.3.1 are vulnerable to a cross-site scripting vulnerability. Malicious JavaScript may be executed in the user's browser if a malicious search result is displayed on the search page.
Severity CVSS v4.0: Pending analysis
Last modification:
29/11/2025

CVE-2023-5619
Publication date:
04/01/2024
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2023-6530. Reason: This candidate is a reservation duplicate of CVE-2023-6530. Notes: All CVE users should reference CVE-2023-43226 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.
Severity CVSS v4.0: Pending analysis
Last modification:
04/01/2024

CVE-2024-21636
Publication date:
04/01/2024
view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. Versions prior to 3.9.0 and 2.83.0 have a cross-site scripting vulnerability that has the potential to impact anyone rendering a component directly from a controller with the view_component gem. Note that only components that define a `#call` method (i.e. instead of using a sidecar template) are affected. The return value of the `#call` method is not sanitized and can include user-defined content. In addition, the return value of the `#output_postamble` methodis not sanitized, which can also lead to cross-site scripting issues. Versions 3.9.0 and 2.83.0 have been released and fully mitigate both the `#call` and the `#output_postamble` vulnerabilities. As a workaround, sanitize the return value of `#call`.
Severity CVSS v4.0: Pending analysis
Last modification:
10/01/2024

CVE-2023-51154
Publication date:
04/01/2024
Jizhicms v2.5 was discovered to contain an arbitrary file download vulnerability via the component /admin/c/PluginsController.php.
Severity CVSS v4.0: Pending analysis
Last modification:
18/06/2025

CVE-2023-51812
Publication date:
04/01/2024
Tenda AX3 v16.03.12.11 was discovered to contain a remote code execution (RCE) vulnerability via the list parameter at /goform/SetNetControlList.
Severity CVSS v4.0: Pending analysis
Last modification:
03/06/2025

CVE-2023-5442
Publication date:
04/01/2024
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2023-6991. Reason: This candidate is a reservation duplicate of CVE-2023-6991. Notes: All CVE users should reference CVE-2023-43226 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.
Severity CVSS v4.0: Pending analysis
Last modification:
04/01/2024

CVE-2023-6270
Publication date:
04/01/2024
A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
24/03/2026

CVE-2023-6551
Publication date:
04/01/2024
As a simple library, class.upload.php does not perform an in-depth check on uploaded files, allowing a stored XSS vulnerability when the default configuration is used. <br /> <br /> <br /> Developers must be aware of that fact and use extension whitelisting accompanied by forcing the server to always provide content-type based on the file extension. <br /> <br /> <br /> The README has been updated to include these guidelines.
Severity CVSS v4.0: Pending analysis
Last modification:
03/06/2025

CVE-2024-21625
Publication date:
04/01/2024
SideQuest is a place to get virtual reality applications for Oculus Quest. The SideQuest desktop application uses deep links with a custom protocol (`sidequest://`) to trigger actions in the application from its web contents. Because, prior to version 0.10.35, the deep link URLs were not sanitized properly in all cases, a one-click remote code execution can be achieved in cases when a device is connected, the user is presented with a malicious link and clicks it from within the application. As of version 0.10.35, the custom protocol links within the electron application are now being parsed and sanitized properly.
Severity CVSS v4.0: Pending analysis
Last modification:
11/01/2024

CVE-2023-50864
Publication date:
04/01/2024
Travel Website v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The &amp;#39;hotelId&amp;#39; parameter of the hotelDetails.php resource does not validate the characters received and they are sent unfiltered to the database.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
10/01/2024

CVE-2023-50865
Publication date:
04/01/2024
Travel Website v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The &amp;#39;city&amp;#39; parameter of the hotelSearch.php resource does not validate the characters received and they are sent unfiltered to the database.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
10/01/2024
Subscribe to Vulnerabilities