Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-6991
Publication date:
15/01/2024
The JSM file_get_contents() Shortcode WordPress plugin before 2.7.1 does not validate one of its shortcode's parameters before making a request to it, which could allow users with contributor role and above to perform SSRF attacks.
Severity CVSS v4.0: Pending analysis
Last modification:
11/06/2025

CVE-2024-0314
Publication date:
15/01/2024
XSS vulnerability in FireEye Central Management affecting version 9.1.1.956704, which could allow an attacker to modify special HTML elements in the application and cause a reflected XSS, leading to a session hijacking.
Severity CVSS v4.0: Pending analysis
Last modification:
19/01/2024

CVE-2023-4925
Publication date:
15/01/2024
The Easy Forms for Mailchimp WordPress plugin through 6.8.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
Severity CVSS v4.0: Pending analysis
Last modification:
11/06/2025

CVE-2023-50729
Publication date:
15/01/2024
Traccar is an open source GPS tracking system. Prior to 5.11, Traccar is affected by an unrestricted file upload vulnerability in File feature allows attackers to execute arbitrary code on the server. This vulnerability is more prevalent because Traccar is recommended to run web servers as root user. It is also more dangerous because it can write or overwrite files in arbitrary locations. Version 5.11 was published to fix this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
19/01/2024

CVE-2023-4818
Publication date:
15/01/2024
PAX A920 device allows to downgrade bootloader due to a bug in its version check. The signature is correctly checked and only bootloader signed by PAX can be used. <br /> <br /> <br /> <br /> <br /> The attacker must have physical USB access to the device in order to exploit this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2025

CVE-2023-42134
Publication date:
15/01/2024
PAX Android based POS devices with PayDroid_8.1.0_Sagittarius_V11.1.45_20230314 or earlier can allow the signed partition overwrite and subsequently local code execution via hidden command.<br /> <br /> <br /> <br /> <br /> <br /> The attacker must have physical USB access to the device in order to exploit this vulnerability.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
19/01/2024

CVE-2023-42135
Publication date:
15/01/2024
PAX A920Pro/A50 devices with PayDroid_8.1.0_Sagittarius_V11.1.50_20230614 or earlier can allow local code execution via parameter injection by bypassing the input validation when flashing a specific partition. <br /> <br /> <br /> <br /> <br /> <br /> The attacker must have physical USB access to the device in order to exploit this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
10/10/2024

CVE-2023-42136
Publication date:
15/01/2024
PAX Android based POS devices with PayDroid_8.1.0_Sagittarius_V11.1.50_20230614 or earlier can allow the execution of arbitrary commands with system account privilege by shell injection starting with a specific word.<br /> <br /> <br /> <br /> <br /> The attacker must have shell access to the device in order to exploit this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
10/10/2024

CVE-2023-42137
Publication date:
15/01/2024
PAX Android based POS devices with PayDroid_8.1.0_Sagittarius_V11.1.50_20230614 or earlier can allow for command execution with high privileges by using malicious symlinks.<br /> <br /> <br /> <br /> <br /> The attacker must have shell access to the device in order to exploit this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
10/10/2024

CVE-2024-20721
Publication date:
15/01/2024
Acrobat Reader T5 (MSFT Edge) versions 120.0.2210.91 and earlier are affected by an Improper Input Validation vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve an application denial-of-service in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Severity CVSS v4.0: Pending analysis
Last modification:
23/01/2024

CVE-2024-20709
Publication date:
15/01/2024
Acrobat Reader T5 (MSFT Edge) versions 120.0.2210.91 and earlier are affected by an Improper Input Validation vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve an application denial-of-service in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Severity CVSS v4.0: Pending analysis
Last modification:
23/01/2024

CVE-2023-4001
Publication date:
15/01/2024
An authentication bypass flaw was found in GRUB due to the way that GRUB uses the UUID of a device to search for the configuration file that contains the password hash for the GRUB password protection feature. An attacker capable of attaching an external drive such as a USB stick containing a file system with a duplicate UUID (the same as in the "/boot/" file system) can bypass the GRUB password protection feature on UEFI systems, which enumerate removable drives before non-removable ones. This issue was introduced in a downstream patch in Red Hat&amp;#39;s version of grub2 and does not affect the upstream package.
Severity CVSS v4.0: Pending analysis
Last modification:
16/09/2024
Subscribe to Vulnerabilities