Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-35935

Publication date:

03/07/2023

Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2023-31999. Reason: This candidate is a reservation duplicate of CVE-2023-31999. Notes: All CVE users should reference CVE-2023-31999 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2023-36816

Publication date:

03/07/2023

2FA is a Web app to manage Two-Factor Authentication (2FA) accounts and generate their security codes. Cross site scripting (XSS) injection can be done via the account/service field. This was tested in docker-compose environment. This vulnerability has been patched in version 4.0.3.

Severity CVSS v4.0: Pending analysis

Last modification:

10/07/2023

CVE-2023-3497

Publication date:

03/07/2023

Out of bounds read in Google Security Processor firmware in Google Chrome on Chrome OS prior to 114.0.5735.90 allowed a local attacker to perform denial of service via physical access to the device. (Chromium security severity: Medium)

Severity CVSS v4.0: Pending analysis

Last modification:

29/07/2023

CVE-2023-26509

Publication date:

03/07/2023

AnyDesk 7.0.8 allows remote Denial of Service.

Severity CVSS v4.0: Pending analysis

Last modification:

11/07/2023

CVE-2023-26258

Publication date:

03/07/2023

Arcserve UDP through 9.0.6034 allows authentication bypass. The method getVersionInfo at WebServiceImpl/services/FlashServiceImpl leaks the AuthUUID token. This token can be used at /WebServiceImpl/services/VirtualStandbyServiceImpl to obtain a valid session. This session can be used to execute any task as administrator.

Severity CVSS v4.0: Pending analysis

Last modification:

12/07/2023

CVE-2023-36053

Publication date:

03/07/2023

In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs.

Severity CVSS v4.0: Pending analysis

Last modification:

04/11/2025

CVE-2023-35797

Publication date:

03/07/2023

Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Hive Provider. This issue affects Apache Airflow Apache Hive Provider: before 6.1.1. Before version 6.1.1 it was possible to bypass the security check to RCE via principal parameter. For this to be exploited it requires access to modifying the connection details. It is recommended updating provider version to 6.1.1 in order to avoid this vulnerability.

Severity CVSS v4.0: Pending analysis

Last modification:

13/02/2025

CVE-2023-3314

Publication date:

03/07/2023

A vulnerability arises out of a failure to comprehensively sanitize the processing of a zip file(s). Incomplete neutralization of external commands used to control the process execution of the .zip application allows an authorized user to obtain control of the .zip application to execute arbitrary commands or obtain elevation of system privileges.

Severity CVSS v4.0: Pending analysis

Last modification:

11/07/2023

CVE-2023-3313

Publication date:

03/07/2023

An OS common injection vulnerability exists in the ESM certificate API, whereby incorrectly neutralized special elements may have allowed an unauthorized user to execute system command injection for the purpose of privilege escalation or to execute arbitrary commands.

Severity CVSS v4.0: Pending analysis

Last modification:

11/07/2023

CVE-2023-3438

Publication date:

03/07/2023

An unquoted Windows search path vulnerability existed in the install the MOVE 4.10.x and earlier Windows install service (mvagtsce.exe). The misconfiguration allowed an unauthorized local user to insert arbitrary code into the unquoted service path to obtain privilege escalation and stop antimalware services.

Severity CVSS v4.0: Pending analysis

Last modification:

14/07/2023