Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-25807
Publication date:
28/02/2023
DataEase is an open source data visualization and analysis tool. When saving a dashboard on the DataEase platform saved data can be modified and store malicious code. This vulnerability can lead to the execution of malicious code stored by the attacker on the server side when the user accesses the dashboard. The vulnerability has been fixed in version 1.18.3.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2023-26255
Publication date:
28/02/2023
An unauthenticated path traversal vulnerability affects the "STAGIL Navigation for Jira - Menu &amp; Themes" plugin before 2.0.52 for Jira. By modifying the fileName parameter to the snjCustomDesignConfig endpoint, it is possible to traverse and read the file system.
Severity CVSS v4.0: Pending analysis
Last modification:
18/03/2025

CVE-2023-26256
Publication date:
28/02/2023
An unauthenticated path traversal vulnerability affects the "STAGIL Navigation for Jira - Menu &amp; Themes" plugin before 2.0.52 for Jira. By modifying the fileName parameter to the snjFooterNavigationConfig endpoint, it is possible to traverse and read the file system.
Severity CVSS v4.0: Pending analysis
Last modification:
21/03/2025

CVE-2023-23865
Publication date:
28/02/2023
Cross-Site Request Forgery (CSRF) vulnerability in Checkout Plugins Stripe Payments For WooCommerce plugin
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2023-23983
Publication date:
28/02/2023
Cross-Site Request Forgery (CSRF) vulnerability in wpdevart Responsive Vertical Icon Menu plugin 
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2023-0461
Publication date:
28/02/2023
There is a use-after-free vulnerability in the Linux Kernel which can be exploited to achieve local privilege escalation. To reach the vulnerability kernel configuration flag CONFIG_TLS or CONFIG_XFRM_ESPINTCP has to be configured, but the operation does not require any privilege.<br /> <br /> There is a use-after-free bug of icsk_ulp_data of a struct inet_connection_sock.<br /> <br /> When CONFIG_TLS is enabled, user can install a tls context (struct tls_context) on a connected tcp socket. The context is not cleared if this socket is disconnected and reused as a listener. If a new socket is created from the listener, the context is inherited and vulnerable.<br /> <br /> The setsockopt TCP_ULP operation does not require any privilege.<br /> <br /> We recommend upgrading past commit 2c02d41d71f90a5168391b6a5f2954112ba2307c
Severity CVSS v4.0: Pending analysis
Last modification:
06/06/2023

CVE-2022-47612
Publication date:
28/02/2023
Cross-Site Request Forgery (CSRF) vulnerability in Roland Barker, xnau webdesign Participants Database plugin
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-47179
Publication date:
28/02/2023
Cross-Site Request Forgery (CSRF) vulnerability in Uwe Jacobs OWM Weather plugin
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-43459
Publication date:
28/02/2023
Cross-Site Request Forgery (CSRF) vulnerability in Forms by CaptainForm – Form Builder for WordPress plugin
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2023-23992
Publication date:
28/02/2023
Cross-Site Request Forgery (CSRF) vulnerability in AutomatorWP plugin
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2023-24419
Publication date:
28/02/2023
Cross-Site Request Forgery (CSRF) vulnerability in Strategy11 Form Builder Team Formidable Forms plugin 
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2023-1080
Publication date:
28/02/2023
The GN Publisher plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘tab’ parameter in versions up to, and including, 1.5.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023
Subscribe to Vulnerabilities