Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-44466
Publication date:
29/09/2023
An issue was discovered in net/ceph/messenger_v2.c in the Linux kernel before 6.4.5. There is an integer signedness error, leading to a buffer overflow and remote code execution via HELLO or one of the AUTH frames. This occurs because of an untrusted length taken from a TCP packet in ceph_decode_32.
Severity CVSS v4.0: Pending analysis
Last modification:
23/05/2025

CVE-2023-30591
Publication date:
29/09/2023
Denial-of-service in NodeBB
Severity CVSS v4.0: Pending analysis
Last modification:
02/10/2023

CVE-2023-26146
Publication date:
29/09/2023
All versions of the package ithewei/libhv are vulnerable to Cross-site Scripting (XSS) such that when a file with a name containing a malicious payload is served by the application, the filename is displayed without proper sanitization when it is rendered.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2023-26147
Publication date:
29/09/2023
All versions of the package ithewei/libhv are vulnerable to HTTP Response Splitting when untrusted user input is used to build headers values. An attacker can add the \r\n (carriage return line feeds) characters to end the HTTP response headers and inject malicious content, like for example additional headers or new response body, leading to a potential XSS vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2023-26148
Publication date:
29/09/2023
All versions of the package ithewei/libhv are vulnerable to CRLF Injection when untrusted user input is used to set request headers. An attacker can add the \r\n (carriage return line feeds) characters and inject additional headers in the request sent.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2023-44464
Publication date:
29/09/2023
pretix before 2023.7.2 allows Pillow to parse EPS files.
Severity CVSS v4.0: Pending analysis
Last modification:
12/10/2023

CVE-2023-3775
Publication date:
29/09/2023
A Vault Enterprise Sentinel Role Governing Policy created by an operator to restrict access to resources in one namespace can be applied to requests outside in another non-descendant namespace, potentially resulting in denial of service. Fixed in Vault Enterprise 1.15.0, 1.14.4, 1.13.8.
Severity CVSS v4.0: Pending analysis
Last modification:
26/09/2024

CVE-2023-5077
Publication date:
29/09/2023
The Vault and Vault Enterprise ("Vault") Google Cloud secrets engine did not preserve existing Google Cloud IAM Conditions upon creating or updating rolesets. Fixed in Vault 1.13.0.
Severity CVSS v4.0: Pending analysis
Last modification:
26/09/2024

CVE-2023-43654
Publication date:
28/09/2023
TorchServe is a tool for serving and scaling PyTorch models in production. TorchServe default configuration lacks proper input validation, enabling third parties to invoke remote HTTP download requests and write files to the disk. This issue could be taken advantage of to compromise the integrity of the system and sensitive data. This issue is present in versions 0.1.0 to 0.8.1. A user is able to load the model of their choice from any URL that they would like to use. The user of TorchServe is responsible for configuring both the allowed_urls and specifying the model URL to be used. A pull request to warn the user when the default value for allowed_urls is used has been merged in PR #2534. TorchServe release 0.8.2 includes this change. Users are advised to upgrade. There are no known workarounds for this issue.
Severity CVSS v4.0: Pending analysis
Last modification:
31/10/2023

CVE-2023-43014
Publication date:
28/09/2023
Asset Management System v1.0 is vulnerable to<br /> <br /> an Authenticated SQL Injection vulnerability<br /> <br /> on the &amp;#39;first_name&amp;#39; and &amp;#39;last_name&amp;#39; parameters<br /> <br /> of user.php page, allowing an authenticated<br /> <br /> attacker to dump all the contents of the database<br /> <br /> contents.<br /> <br /> <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
29/09/2023

CVE-2023-43662
Publication date:
28/09/2023
ShokoServer is a media server which specializes in organizing anime. In affected versions the `/api/Image/WithPath` endpoint is accessible without authentication and is supposed to return default server images. The endpoint accepts the parameter `serverImagePath`, which is not sanitized in any way before being passed to `System.IO.File.OpenRead`, which results in an arbitrary file read. This issue may lead to an arbitrary file read which is exacerbated in the windows installer which installs the ShokoServer as administrator. Any unauthenticated attacker may be able to access sensitive information and read files stored on the server. The `/api/Image/WithPath` endpoint has been removed in commit `6c57ba0f0` which will be included in subsequent releases. Users should limit access to the `/api/Image/WithPath` endpoint or manually patch their installations until a patched release is made. This issue was discovered by the GitHub Security lab and is also indexed as GHSL-2023-191.
Severity CVSS v4.0: Pending analysis
Last modification:
06/10/2023

CVE-2023-43739
Publication date:
28/09/2023
The &amp;#39;bookisbn&amp;#39; parameter of the cart.php resource<br /> <br /> does not validate the characters received and they<br /> <br /> are sent unfiltered to the database.<br /> <br /> <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
30/09/2023
Subscribe to Vulnerabilities