Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-6337

Publication date:
08/12/2023
HashiCorp Vault and Vault Enterprise 1.12.0 and newer are vulnerable to a denial of service through memory exhaustion of the host when handling large unauthenticated and authenticated HTTP requests from a client. Vault will attempt to map the request to memory, resulting in the exhaustion of available memory on the host, which may cause Vault to crash.<br /> <br /> Fixed in Vault 1.15.4, 1.14.8, 1.13.12.
Severity CVSS v4.0: Pending analysis
Last modification:
13/02/2025

CVE-2023-34320

Publication date:
08/12/2023
Cortex-A77 cores (r0p0 and r1p0) are affected by erratum 1508412<br /> where software, under certain circumstances, could deadlock a core<br /> due to the execution of either a load to device or non-cacheable memory,<br /> and either a store exclusive or register read of the Physical<br /> Address Register (PAR_EL1) in close proximity.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
13/12/2023

CVE-2023-46493

Publication date:
08/12/2023
Directory Traversal vulnerability in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information via a crafted request to the readDirSync function in fileBrowser/browser.js.
Severity CVSS v4.0: Pending analysis
Last modification:
12/12/2023

CVE-2023-46495

Publication date:
08/12/2023
Cross Site Scripting vulnerability in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information via a crafted request to the sortBy parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
12/12/2023

CVE-2023-46496

Publication date:
08/12/2023
Directory Traversal vulnerability in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information via a crafted request to the DELETE function in api/files endpoint.
Severity CVSS v4.0: Pending analysis
Last modification:
12/12/2023

CVE-2023-46497

Publication date:
08/12/2023
Directory Traversal vulnerability in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information via a crafted request to the mkdirSync function in the folderCreate/createFolder.js endpoint.
Severity CVSS v4.0: Pending analysis
Last modification:
12/12/2023

CVE-2023-46498

Publication date:
08/12/2023
An issue in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information and execute arbitrary code via the /deleteCustomer/route.json file.
Severity CVSS v4.0: Pending analysis
Last modification:
12/12/2023

CVE-2023-46499

Publication date:
08/12/2023
Cross Site Scripting vulnerability in EverShop NPM versions before v.1.0.0-rc.5 allows a remote attacker to obtain sensitive information via a crafted scripts to the Admin Panel.
Severity CVSS v4.0: Pending analysis
Last modification:
12/12/2023

CVE-2023-48311

Publication date:
08/12/2023
dockerspawner is a tool to spawn JupyterHub single user servers in Docker containers. Users of JupyterHub deployments running DockerSpawner starting with 0.11.0 without specifying `DockerSpawner.allowed_images` configuration allow users to launch _any_ pullable docker image, instead of restricting to only the single configured image, as intended. This issue has been addressed in commit `3ba4b665b` which has been included in dockerspawner release version 13. Users are advised to upgrade. Users unable to upgrade should explicitly set `DockerSpawner.allowed_images` to a non-empty list containing only the default image will result in the intended default behavior.
Severity CVSS v4.0: Pending analysis
Last modification:
13/12/2023

CVE-2023-49782

Publication date:
08/12/2023
Collabora Online is a collaborative online office suite based on LibreOffice technology. Users of Nextcloud with `Collabora Online - Built-in CODE Server` app can be vulnerable to attack via proxy.php. The bug was fixed in Collabora Online - Built-in CODE Server (richdocumentscode) release 23.5.601. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
13/12/2023

CVE-2023-49788

Publication date:
08/12/2023
Collabora Online is a collaborative online office suite based on LibreOffice technology. Unlike a standalone dedicated Collabora Online server, the Built-in CODE Server (richdocumentscode) is run without chroot sandboxing. Vulnerable versions of the richdocumentscode app can be susceptible to attack via modified client-&gt;server commands to overwrite files outside the sub directory the server has provided for the transient session. Files which can be accessed are limited to those that the server process has access to. The bug was fixed in Collabora Online - Built-in CODE Server (richdocumentscode) release 23.5.602. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
13/12/2023

CVE-2023-46494

Publication date:
08/12/2023
Cross Site Scripting vulnerability in EverShop NPM versions before v.1.0.0-rc.5 allows a remote attacker to obtain sensitive information via a crafted request to the ProductGrid function in admin/productGrid/Grid.jsx.
Severity CVSS v4.0: Pending analysis
Last modification:
27/05/2025