Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-30601
Publication date:
30/05/2023
Privilege escalation when enabling FQL/Audit logs allows user with JMX access to run arbitrary commands as the user running Apache Cassandra<br /> This issue affects Apache Cassandra: from 4.0.0 through 4.0.9, from 4.1.0 through 4.1.1.<br /> <br /> WORKAROUND<br /> The vulnerability requires nodetool/JMX access to be exploitable, disable access for any non-trusted users.<br /> <br /> MITIGATION<br /> Upgrade to 4.0.10 or 4.1.2 and leave the new FQL/Auditlog configuration property allow_nodetool_archive_command as false.
Severity CVSS v4.0: Pending analysis
Last modification:
05/06/2023

CVE-2023-2518
Publication date:
30/05/2023
The Easy Forms for Mailchimp WordPress plugin before 6.8.9 does not sanitise and escape a parameter before outputting it back in the page when the debug option is enabled, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
Severity CVSS v4.0: Pending analysis
Last modification:
10/01/2025

CVE-2023-2223
Publication date:
30/05/2023
The Login rebuilder WordPress plugin before 2.8.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Severity CVSS v4.0: Pending analysis
Last modification:
10/01/2025

CVE-2023-2023
Publication date:
30/05/2023
The Custom 404 Pro WordPress plugin before 3.7.3 does not escape some URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting.
Severity CVSS v4.0: Pending analysis
Last modification:
09/01/2025

CVE-2023-0329
Publication date:
30/05/2023
The Elementor Website Builder WordPress plugin before 3.12.2 does not properly sanitize and escape the Replace URL parameter in the Tools module before using it in a SQL statement, leading to a SQL injection exploitable by users with the Administrator role.
Severity CVSS v4.0: Pending analysis
Last modification:
23/04/2025

CVE-2022-4676
Publication date:
30/05/2023
The OSM WordPress plugin through 6.01 does not validate and escape some of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack.
Severity CVSS v4.0: Pending analysis
Last modification:
09/01/2025

CVE-2023-0443
Publication date:
30/05/2023
The AnyWhere Elementor WordPress plugin before 1.2.8 discloses a Freemius Secret Key which could be used by an attacker to purchase the pro subscription using test credit card numbers without actually paying the amount. Such key has been revoked.
Severity CVSS v4.0: Pending analysis
Last modification:
10/01/2025

CVE-2023-0733
Publication date:
30/05/2023
The Newsletter Popup WordPress plugin through 1.2 does not sanitise and escape some of its settings, which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks
Severity CVSS v4.0: Pending analysis
Last modification:
10/01/2025

CVE-2023-0766
Publication date:
30/05/2023
The Newsletter Popup WordPress plugin through 1.2 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks as the wp_newsletter_show_localrecord page is not protected with a nonce.
Severity CVSS v4.0: Pending analysis
Last modification:
10/01/2025

CVE-2023-1524
Publication date:
30/05/2023
The Download Manager WordPress plugin before 3.2.71 does not adequately validate passwords for password-protected files. Upon validation, a master key is generated and exposed to the user, which may be used to download any password-protected file on the server, allowing a user to download any file with the knowledge of any one file&amp;#39;s password.
Severity CVSS v4.0: Pending analysis
Last modification:
21/03/2025

CVE-2023-2111
Publication date:
30/05/2023
The Fast &amp; Effective Popups &amp; Lead-Generation for WordPress plugin before 2.1.4 concatenates user input into an SQL query without escaping it first in the plugin&amp;#39;s report API endpoint, which could allow administrators in multi-site configuration to leak sensitive information from the site&amp;#39;s database.
Severity CVSS v4.0: Pending analysis
Last modification:
10/01/2025

CVE-2023-1938
Publication date:
30/05/2023
The WP Fastest Cache WordPress plugin before 1.1.5 does not have CSRF check in an AJAX action, and does not validate user input before using it in the wp_remote_get() function, leading to a Blind SSRF issue
Severity CVSS v4.0: Pending analysis
Last modification:
10/01/2025
Subscribe to Vulnerabilities