Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-19952

Publication date:
11/08/2023
Cross Site Scripting (XSS) vulnerability in Rendering Engine in jbt Markdown Editor thru commit 2252418c27dffbb35147acd8ed324822b8919477, allows remote attackers to execute arbirary code via crafted payload or opening malicious .md file.
Severity CVSS v4.0: Pending analysis
Last modification:
18/08/2023

CVE-2023-39417

Publication date:
11/08/2023
IN THE EXTENSION SCRIPT, a SQL Injection vulnerability was found in PostgreSQL if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct (dollar quoting, '', or ""). If an administrator has installed files of a vulnerable, trusted, non-bundled extension, an attacker with database-level CREATE privilege can execute arbitrary code as the bootstrap superuser.
Severity CVSS v4.0: Pending analysis
Last modification:
09/09/2024

CVE-2022-3403

Publication date:
11/08/2023
Rejected reason: Duplicate, please use CVE-2023-28931 instead.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2023-39418

Publication date:
11/08/2023
A vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid some rows that INSERT policies do not forbid, a user could store such rows.
Severity CVSS v4.0: Pending analysis
Last modification:
06/12/2024

CVE-2023-3864

Publication date:
11/08/2023
Blind SQL injection in a service running in Snow Software license manager from version 8.0.0 up to and including 9.30.1 on Windows allows a logged in user with high privileges to inject SQL commands via the web portal.
Severity CVSS v4.0: Pending analysis
Last modification:
18/08/2023

CVE-2023-3937

Publication date:
11/08/2023
Cross site scripting vulnerability in web portal in Snow Software License Manager from version 9.0.0 up to and including 9.30.1 on Windows allows an authenticated user with high privileges to trigger cross site scripting attack via the web browser
Severity CVSS v4.0: Pending analysis
Last modification:
18/08/2023

CVE-2023-39553

Publication date:
11/08/2023
Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Drill Provider.<br /> <br /> Apache Airflow Drill Provider is affected by a vulnerability that allows an attacker to pass in malicious parameters when establishing a connection with DrillHook giving an opportunity to read files on the Airflow server.<br /> This issue affects Apache Airflow Drill Provider: before 2.4.3.<br /> It is recommended to upgrade to a version that is not affected.
Severity CVSS v4.0: Pending analysis
Last modification:
13/02/2025

CVE-2023-4108

Publication date:
11/08/2023
Mattermost fails to sanitize post metadata during audit logging resulting in permalinks contents being logged<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
15/08/2023

CVE-2023-40267

Publication date:
11/08/2023
GitPython before 3.1.32 does not block insecure non-multi options in clone and clone_from. NOTE: this issue exists because of an incomplete fix for CVE-2022-24439.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2023-40254

Publication date:
11/08/2023
Download of Code Without Integrity Check vulnerability in Genians Genian NAC V4.0, Genians Genian NAC V5.0, Genians Genian NAC Suite V5.0, Genians Genian ZTNA allows Malicious Software Update.This issue affects Genian NAC V4.0: from V4.0.0 through V4.0.155; Genian NAC V5.0: from V5.0.0 through V5.0.42 (Revision 117460); Genian NAC Suite V5.0: from V5.0.0 through V5.0.54; Genian ZTNA: from V6.0.0 through V6.0.15.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
26/10/2023

CVE-2023-4107

Publication date:
11/08/2023
Mattermost fails to properly validate the requesting user permissions when updating a system admin, allowing a user manager to update a system admin&amp;#39;s details such as email, first name and last name.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
15/08/2023

CVE-2023-4105

Publication date:
11/08/2023
Mattermost fails to delete the attachments when deleting a message in a thread allowing a simple user to still be able to access and download the attachment of a deleted message<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
15/08/2023