Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-5798
Publication date:
26/10/2023
The Assistant WordPress plugin before 1.4.4 does not validate a parameter before making a request to it via wp_remote_get(), which could allow users with a role as low as Editor to perform SSRF attacks
Severity CVSS v4.0: Pending analysis
Last modification:
23/04/2025

CVE-2023-46754
Publication date:
26/10/2023
The admin panel for Obl.ong before 1.1.2 allows authorization bypass because the email OTP feature accepts arbitrary numerical values.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2023-5139
Publication date:
26/10/2023
Potential buffer overflow vulnerability at the following location in the Zephyr STM32 Crypto driver
Severity CVSS v4.0: Pending analysis
Last modification:
21/01/2024

CVE-2023-46752
Publication date:
26/10/2023
An issue was discovered in FRRouting FRR through 9.0.1. It mishandles malformed MP_REACH_NLRI data, leading to a crash.
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2025

CVE-2023-46753
Publication date:
26/10/2023
An issue was discovered in FRRouting FRR through 9.0.1. A crash can occur for a crafted BGP UPDATE message without mandatory attributes, e.g., one with only an unknown transit attribute.
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2025

CVE-2023-31421
Publication date:
26/10/2023
It was discovered that when acting as TLS clients, Beats, Elastic Agent, APM Server, and Fleet Server did not verify whether the server certificate is valid for the target IP address; however, certificate signature validation is still performed. More specifically, when the client is configured to connect to an IP address (instead of a hostname) it does not validate the server certificate's IP SAN values against that IP address and certificate validation fails, and therefore the connection is not blocked as expected.
Severity CVSS v4.0: Pending analysis
Last modification:
15/02/2024

CVE-2023-31422
Publication date:
26/10/2023
An issue was discovered by Elastic whereby sensitive information is recorded in Kibana logs in the event of an error. The issue impacts only Kibana version 8.10.0 when logging in the JSON layout or when the pattern layout is configured to log the %meta pattern. Elastic has released Kibana 8.10.1 which resolves this issue. The error object recorded in the log contains request information, which can include sensitive data, such as authentication credentials, cookies, authorization headers, query params, request paths, and other metadata. Some examples of sensitive data which can be included in the logs are account credentials for kibana_system, kibana-metricbeat, or Kibana end-users.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2023

CVE-2023-46667
Publication date:
26/10/2023
An issue was discovered in Fleet Server >= v8.10.0 and
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2023

CVE-2023-43905
Publication date:
26/10/2023
Incorrect access control in writercms v1.1.0 allows attackers to directly obtain backend account passwords via unspecified vectors.
Severity CVSS v4.0: Pending analysis
Last modification:
11/09/2024

CVE-2023-43906
Publication date:
26/10/2023
Xolo CMS v0.11 was discovered to contain a reflected cross-site scripting (XSS) vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2023

CVE-2023-46345
Publication date:
26/10/2023
Catdoc v0.95 was discovered to contain a NULL pointer dereference via the component xls2csv at src/xlsparse.c.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2023

CVE-2023-46668
Publication date:
26/10/2023
If Elastic Endpoint (v7.9.0 - v8.10.3) is configured to use a non-default option in which the logging level is explicitly set to debug, and when Elastic Agent is simultaneously configured to collect and send those logs to Elasticsearch, then Elastic Agent API keys can be viewed in Elasticsearch in plaintext. These API keys could be used to write arbitrary data and read Elastic Endpoint user artifacts.
Severity CVSS v4.0: Pending analysis
Last modification:
06/11/2023
Subscribe to Vulnerabilities