Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-29449
Publication date:
13/07/2023
JavaScript preprocessing, webhooks and global scripts can cause uncontrolled CPU, memory, and disk I/O utilization. Preprocessing/webhook/global script configuration and testing are only available to Administrative roles (Admin and Superadmin). Administrative privileges should be typically granted to users who need to perform tasks that require more control over the system. The security risk is limited because not all users have this level of access.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2023-29450
Publication date:
13/07/2023
JavaScript pre-processing can be used by the attacker to gain access to the file system (read-only access on behalf of user "zabbix") on the Zabbix Server or Zabbix Proxy, potentially leading to unauthorized access to sensitive data.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2023-37415
Publication date:
13/07/2023
Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Apache Hive Provider.<br /> <br /> Patching on top of CVE-2023-35797<br /> Before 6.1.2 the proxy_user option can also inject semicolon.<br /> <br /> This issue affects Apache Airflow Apache Hive Provider: before 6.1.2.<br /> <br /> It is recommended updating provider version to 6.1.2 in order to avoid this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
13/02/2025

CVE-2023-2957
Publication date:
13/07/2023
Improper Neutralization of Special Elements used in an SQL Command (&amp;#39;SQL Injection&amp;#39;) vulnerability in Lisa Software Florist Site allows SQL Injection.This issue affects Florist Site: before 3.0.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
20/07/2023

CVE-2023-3319
Publication date:
13/07/2023
Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in iDisplay PlatPlay DS allows Stored XSS.This issue affects PlatPlay DS: before 3.14.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
31/07/2023

CVE-2023-35069
Publication date:
13/07/2023
Improper Limitation of a Pathname to a Restricted Directory (&amp;#39;Path Traversal&amp;#39;) vulnerability in Bullwark allows Path Traversal.This issue affects Bullwark: before BLW-2016E-960H.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
31/07/2023

CVE-2023-1547
Publication date:
13/07/2023
Improper Neutralization of Special Elements used in an SQL Command (&amp;#39;SQL Injection&amp;#39;) vulnerability in Elra Parkmatik allows SQL Injection through SOAP Parameter Tampering, Command Line Execution through SQL Injection.This issue affects Parkmatik: before 02.01-a51.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
31/07/2023

CVE-2023-37564
Publication date:
13/07/2023
OS command injection vulnerability in ELECOM wireless LAN routers allows a network-adjacent authenticated attacker to execute an arbitrary OS command with a root privilege by sending a specially crafted request. Affected products and versions are as follows: WRC-1167GHBK-S v1.03 and earlier, WRC-1167GEBK-S v1.03 and earlier, WRC-1167FEBK-S v1.04 and earlier, WRC-1167GHBK3-A v1.24 and earlier, and WRC-1167FEBK-A v1.18 and earlier.
Severity CVSS v4.0: Pending analysis
Last modification:
25/07/2023

CVE-2023-37565
Publication date:
13/07/2023
Code injection vulnerability in ELECOM wireless LAN routers allows a network-adjacent authenticated attacker to execute arbitrary code by sending a specially crafted request. Affected products and versions are as follows: WRC-1167GHBK-S v1.03 and earlier, WRC-1167GEBK-S v1.03 and earlier, WRC-1167FEBK-S v1.04 and earlier, WRC-1167GHBK3-A v1.24 and earlier, and WRC-1167FEBK-A v1.18 and earlier.
Severity CVSS v4.0: Pending analysis
Last modification:
25/07/2023

CVE-2023-38199
Publication date:
13/07/2023
coreruleset (aka OWASP ModSecurity Core Rule Set) through 3.3.4 does not detect multiple Content-Type request headers on some platforms. This might allow attackers to bypass a WAF with a crafted payload, aka "Content-Type confusion" between the WAF and the backend application. This occurs when the web application relies on only the last Content-Type header. Other platforms may reject the additional Content-Type header or merge conflicting headers, leading to detection as a malformed header.
Severity CVSS v4.0: Pending analysis
Last modification:
05/09/2023

CVE-2023-3362
Publication date:
13/07/2023
An information disclosure issue in GitLab CE/EE affecting all versions from 16.0 prior to 16.0.6, and version 16.1.0 allows unauthenticated actors to access the import error information if a project was imported from GitHub.
Severity CVSS v4.0: Pending analysis
Last modification:
20/03/2025

CVE-2023-3363
Publication date:
13/07/2023
An information disclosure issue in Gitlab CE/EE affecting all versions from 13.6 prior to 15.11.10, all versions from 16.0 prior to 16.0.6, all versions from 16.1 prior to 16.1.1, resulted in the Sidekiq log including webhook tokens when the log format was set to `default`.
Severity CVSS v4.0: Pending analysis
Last modification:
20/07/2023
Subscribe to Vulnerabilities