Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-24055
Publication date:
22/01/2023
KeePass through 2.53 (in a default installation) allows an attacker, who has write access to the XML configuration file, to obtain the cleartext passwords by adding an export trigger. NOTE: the vendor's position is that the password database is not intended to be secure against an attacker who has that level of access to the local PC.
Severity CVSS v4.0: Pending analysis
Last modification:
02/08/2024

CVE-2023-24044
Publication date:
22/01/2023
A Host Header Injection issue on the Login page of Plesk Obsidian through 18.0.49 allows attackers to redirect users to malicious websites via a Host request header. NOTE: the vendor's position is "the ability to use arbitrary domain names to access the panel is an intended feature."
Severity CVSS v4.0: Pending analysis
Last modification:
02/04/2025

CVE-2023-0434
Publication date:
22/01/2023
Improper Input Validation in GitHub repository pyload/pyload prior to 0.5.0b3.dev40.
Severity CVSS v4.0: Pending analysis
Last modification:
30/01/2023

CVE-2023-22617
Publication date:
21/01/2023
A remote attacker might be able to cause infinite recursion in PowerDNS Recursor 4.8.0 via a DNS query that retrieves DS records for a misconfigured domain, because QName minimization is used in QM fallback mode. This is fixed in 4.8.1.
Severity CVSS v4.0: Pending analysis
Last modification:
03/04/2025

CVE-2023-0433
Publication date:
21/01/2023
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1225.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2023-22884
Publication date:
21/01/2023
Improper Neutralization of Special Elements used in a Command (&amp;#39;Command Injection&amp;#39;) vulnerability in Apache Software Foundation Apache Airflow, Apache Software Foundation Apache Airflow MySQL Provider.This issue affects Apache Airflow: before 2.5.1; Apache Airflow MySQL Provider: before 4.0.0.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
31/03/2025

CVE-2023-24039
Publication date:
21/01/2023
A stack-based buffer overflow in ParseColors in libXm in Common Desktop Environment 1.6 can be exploited by local low-privileged users via the dtprintinfo setuid binary to escalate their privileges to root on Solaris 10 systems. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Severity CVSS v4.0: Pending analysis
Last modification:
02/04/2025

CVE-2023-24040
Publication date:
21/01/2023
dtprintinfo in Common Desktop Environment 1.6 has a bug in the parser of lpstat (an invoked external command) during listing of the names of available printers. This allows low-privileged local users to inject arbitrary printer names via the $HOME/.printers file. This injection allows those users to manipulate the control flow and disclose memory contents on Solaris 10 systems. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Severity CVSS v4.0: Pending analysis
Last modification:
02/08/2024

CVE-2023-24042
Publication date:
21/01/2023
A race condition in LightFTP through 2.2 allows an attacker to achieve path traversal via a malformed FTP request. A handler thread can use an overwritten context-&gt;FileName.
Severity CVSS v4.0: Pending analysis
Last modification:
08/12/2025

CVE-2023-24038
Publication date:
21/01/2023
The HTML-StripScripts module through 1.06 for Perl allows _hss_attval_style ReDoS because of catastrophic backtracking for HTML content with certain style attributes.
Severity CVSS v4.0: Pending analysis
Last modification:
02/04/2025

CVE-2020-36655
Publication date:
21/01/2023
Yii Yii2 Gii before 2.2.2 allows remote attackers to execute arbitrary code via the Generator.php messageCategory field. The attacker can embed arbitrary PHP code into the model file.
Severity CVSS v4.0: Pending analysis
Last modification:
02/04/2025

CVE-2023-22742
Publication date:
20/01/2023
libgit2 is a cross-platform, linkable library implementation of Git. When using an SSH remote with the optional libssh2 backend, libgit2 does not perform certificate checking by default. Prior versions of libgit2 require the caller to set the `certificate_check` field of libgit2&amp;#39;s `git_remote_callbacks` structure - if a certificate check callback is not set, libgit2 does not perform any certificate checking. This means that by default - without configuring a certificate check callback, clients will not perform validation on the server SSH keys and may be subject to a man-in-the-middle attack. Users are encouraged to upgrade to v1.4.5 or v1.5.1. Users unable to upgrade should ensure that all relevant certificates are manually checked.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023
Subscribe to Vulnerabilities