Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-5907

Publication date:
11/12/2023
The File Manager WordPress plugin before 6.3 does not restrict the file managers root directory, allowing an administrator to set a root outside of the WordPress root directory, giving access to system files and directories even in a multisite setup, where site administrators should not be allowed to modify the sites files.
Severity CVSS v4.0: Pending analysis
Last modification:
27/05/2025

CVE-2023-49795

Publication date:
11/12/2023
MindsDB connects artificial intelligence models to real time data. Versions prior to 23.11.4.1 contain a server-side request forgery vulnerability in `file.py`. This can lead to limited information disclosure. Users should use MindsDB&amp;#39;s `staging` branch or v23.11.4.1, which contain a fix for the issue.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
14/12/2023

CVE-2023-6679

Publication date:
11/12/2023
A null pointer dereference vulnerability was found in dpll_pin_parent_pin_set() in drivers/dpll/dpll_netlink.c in the Digital Phase Locked Loop (DPLL) subsystem in the Linux kernel. This issue could be exploited to trigger a denial of service.
Severity CVSS v4.0: Pending analysis
Last modification:
16/09/2024

CVE-2023-48715

Publication date:
11/12/2023
Tuleap is an open source suite to improve management of software developments and collaboration. Prior to version 15.2.99.103 of Tuleap Community Edition and prior to versions 15.2-4 and 15.1-8 of Tuleap Enterprise Edition, the name of the releases are not properly escaped on the edition page of a release. A malicious user with the ability to create a FRS release could force a victim having write permissions in the FRS to execute uncontrolled code. Tuleap Community Edition 15.2.99.103, Tuleap Enterprise Edition 15.2-4, and Tuleap Enterprise Edition 15.1-8 contain a fix for this issue.
Severity CVSS v4.0: Pending analysis
Last modification:
22/02/2024

CVE-2023-6538

Publication date:
11/12/2023
SMU versions prior to 14.8.7825.01 are susceptible to unintended information disclosure, through URL manipulation. Authenticated users in Storage, Server or combined Server+Storage administrative roles are able to access SMU configuration backup, that would normally be barred to those specific administrative roles.
Severity CVSS v4.0: Pending analysis
Last modification:
14/12/2023

CVE-2023-6671

Publication date:
11/12/2023
A vulnerability has been discovered on OJS, that consists in a CSRF (Cross-Site Request Forgery) attack that forces an end user to execute unwanted actions on a web application in which they&amp;#39;re currently authenticated.
Severity CVSS v4.0: Pending analysis
Last modification:
13/12/2023

CVE-2023-49418

Publication date:
11/12/2023
TOTOLink A7000R V9.1.0u.6115_B20201022has a stack overflow vulnerability via setIpPortFilterRules.
Severity CVSS v4.0: Pending analysis
Last modification:
13/12/2023

CVE-2023-6194

Publication date:
11/12/2023
In Eclipse Memory Analyzer versions 0.7 to 1.14.0, report definition XML files are not filtered to prohibit<br /> document type definition (DTD) references to external entities.<br /> This means that if a user chooses to use a malicious report definition XML file containing an external entity reference<br /> to generate a report then Eclipse Memory Analyzer may access external files or URLs defined via a DTD in the report definition.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
13/12/2023

CVE-2023-49417

Publication date:
11/12/2023
TOTOLink A7000R V9.1.0u.6115_B20201022 has a stack overflow vulnerability via setOpModeCfg.
Severity CVSS v4.0: Pending analysis
Last modification:
27/05/2025

CVE-2023-6185

Publication date:
11/12/2023
Improper Input Validation vulnerability in GStreamer integration of The Document Foundation LibreOffice allows an attacker to execute arbitrary GStreamer plugins.<br /> <br /> In affected versions the filename of the embedded video is not sufficiently escaped when passed to GStreamer enabling an attacker to run arbitrary gstreamer plugins depending on what plugins are installed on the target system.
Severity CVSS v4.0: Pending analysis
Last modification:
13/02/2025

CVE-2023-6186

Publication date:
11/12/2023
Insufficient macro permission validation of The Document Foundation LibreOffice allows an attacker to execute built-in macros without warning.<br /> <br /> In affected versions LibreOffice supports hyperlinks with macro or similar built-in command targets that can be executed when activated without warning the user.
Severity CVSS v4.0: Pending analysis
Last modification:
13/02/2025

CVE-2023-49964

Publication date:
11/12/2023
An issue was discovered in Hyland Alfresco Community Edition through 7.2.0. By inserting malicious content in the folder.get.html.ftl file, an attacker may perform SSTI (Server-Side Template Injection) attacks, which can leverage FreeMarker exposed objects to bypass restrictions and achieve RCE (Remote Code Execution). NOTE: this issue exists because of an incomplete fix for CVE-2020-12873.
Severity CVSS v4.0: Pending analysis
Last modification:
14/12/2023