Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-26779

Publication date:
03/03/2023
CleverStupidDog yf-exam v 1.8.0 is vulnerable to Deserialization which can lead to remote code execution (RCE).
Severity CVSS v4.0: Pending analysis
Last modification:
06/03/2025

CVE-2023-25403

Publication date:
03/03/2023
CleverStupidDog yf-exam v 1.8.0 is vulnerable to Authentication Bypass. The program uses a fixed JWT key, and the stored key uses username format characters. Any user who logged in within 24 hours. A token can be forged with his username to bypass authentication.
Severity CVSS v4.0: Pending analysis
Last modification:
07/03/2025

CVE-2023-1170

Publication date:
03/03/2023
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1376.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2023-27567

Publication date:
03/03/2023
In OpenBSD 7.2, a TCP packet with destination port 0 that matches a pf divert-to rule can crash the kernel.
Severity CVSS v4.0: Pending analysis
Last modification:
06/03/2025

CVE-2023-27574

Publication date:
03/03/2023
ShadowsocksX-NG 1.10.0 signs with com.apple.security.get-task-allow entitlements because of CODE_SIGNING_INJECT_BASE_ENTITLEMENTS.
Severity CVSS v4.0: Pending analysis
Last modification:
06/03/2025

CVE-2023-23927

Publication date:
03/03/2023
Craft is a platform for creating digital experiences. When you insert a payload inside a label name or instruction of an entry type, an cross-site scripting (XSS) happens in the quick post widget on the admin dashboard. This issue has been fixed in version 4.3.7.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2023-26488

Publication date:
03/03/2023
OpenZeppelin Contracts is a library for secure smart contract development. The ERC721Consecutive contract designed for minting NFTs in batches does not update balances when a batch has size 1 and consists of a single token. Subsequent transfers from the receiver of that token may overflow the balance as reported by `balanceOf`. The issue exclusively presents with batches of size 1. The issue has been patched in 4.8.2.
Severity CVSS v4.0: Pending analysis
Last modification:
10/03/2023

CVE-2023-26492

Publication date:
03/03/2023
Directus is a real-time API and App dashboard for managing SQL database content. Directus is vulnerable to Server-Side Request Forgery (SSRF) when importing a file from a remote web server (POST to `/files/import`). An attacker can bypass the security controls by performing a DNS rebinding attack and view sensitive data from internal servers or perform a local port scan. An attacker can exploit this vulnerability to access highly sensitive internal server(s) and steal sensitive information. This issue was fixed in version 9.23.0.
Severity CVSS v4.0: Pending analysis
Last modification:
10/03/2023

CVE-2023-0968

Publication date:
03/03/2023
The Watu Quiz plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘dn’, &amp;#39;email&amp;#39;, &amp;#39;points&amp;#39;, and &amp;#39;date&amp;#39; parameters in versions up to, and including, 3.3.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2023-26213

Publication date:
03/03/2023
On Barracuda CloudGen WAN Private Edge Gateway devices before 8 webui-sdwan-1089-8.3.1-174141891, an OS command injection vulnerability exists in /ajax/update_certificate - a crafted HTTP request allows an authenticated attacker to execute arbitrary commands. For example, a name field can contain :password and a password field can contain shell metacharacters.
Severity CVSS v4.0: Pending analysis
Last modification:
07/03/2025

CVE-2022-46973

Publication date:
03/03/2023
Report v0.9.8.6 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
07/03/2025

CVE-2023-23313

Publication date:
03/03/2023
Certain Draytek products are vulnerable to Cross Site Scripting (XSS) via the wlogin.cgi script and user_login.cgi script of the router&amp;#39;s web application management portal. This affects Vigor3910, Vigor1000B, Vigor2962 v4.3.2.1; Vigor2865 and Vigor2866 v4.4.1.0; Vigor2927 v4.4.2.2; and Vigor2915, Vigor2765, Vigor2766, Vigor2135 v4.4.2.0; Vigor2763 v4.4.2.1; Vigor2862 and Vigor2926 v3.9.9.0; Vigor2925 v3.9.3; Vigor2952 and Vigor3220 v3.9.7.3; Vigor2133 and Vigor2762 v3.9.6.4; and Vigor2832 v3.9.6.2.
Severity CVSS v4.0: Pending analysis
Last modification:
07/03/2025