Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-47890
Publication date:
08/01/2024
pyLoad 0.5.0 is vulnerable to Unrestricted File Upload.
Severity CVSS v4.0: Pending analysis
Last modification:
03/06/2025

CVE-2023-50982
Publication date:
08/01/2024
Stud.IP 5.x through 5.3.3 allows XSS with resultant upload of executable files, because upload_action and edit_action in Admin_SmileysController do not check the file extension. This leads to remote code execution with the privileges of the www-data user. The fixed versions are 5.3.4, 5.2.6, 5.1.7, and 5.0.9.
Severity CVSS v4.0: Pending analysis
Last modification:
03/06/2025

CVE-2023-51246
Publication date:
08/01/2024
A Cross Site Scripting (XSS) vulnerability in GetSimple CMS 3.3.16 exists when using Source Code Mode as a backend user to add articles via the /admin/edit.php page.
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2025

CVE-2023-52200
Publication date:
08/01/2024
Cross-Site Request Forgery (CSRF), Deserialization of Untrusted Data vulnerability in Repute Infosystems ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile &amp; User signup.This issue affects ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile &amp; User signup: n/a.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
11/01/2024

CVE-2023-6140
Publication date:
08/01/2024
The Essential Real Estate WordPress plugin before 4.4.0 does not prevent users with limited privileges on the site, like subscribers, from momentarily uploading malicious PHP files disguised as ZIP archives, which may lead to remote code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
04/09/2024

CVE-2023-6141
Publication date:
08/01/2024
The Essential Real Estate WordPress plugin before 4.4.0 does not apply proper capability checks on its AJAX actions, which among other things, allow attackers with a subscriber account to conduct Stored XSS attacks.
Severity CVSS v4.0: Pending analysis
Last modification:
18/06/2025

CVE-2023-6161
Publication date:
08/01/2024
The WP Crowdfunding WordPress plugin before 2.1.9 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2025

CVE-2023-6383
Publication date:
08/01/2024
The Debug Log Manager WordPress plugin before 2.3.0 contains a Directory listing vulnerability was discovered, which allows you to download the debug log without authorization and gain access to sensitive data
Severity CVSS v4.0: Pending analysis
Last modification:
17/04/2025

CVE-2023-6505
Publication date:
08/01/2024
The Migrate WordPress Website &amp; Backups WordPress plugin before 1.9.3 does not prevent directory listing in sensitive directories containing export files.
Severity CVSS v4.0: Pending analysis
Last modification:
18/06/2025

CVE-2023-6528
Publication date:
08/01/2024
The Slider Revolution WordPress plugin before 6.6.19 does not prevent users with at least the Author role from unserializing arbitrary content when importing sliders, potentially leading to Remote Code Execution.
Severity CVSS v4.0: Pending analysis
Last modification:
03/06/2025

CVE-2023-6529
Publication date:
08/01/2024
The WP VR WordPress plugin before 8.3.15 does not authorisation and CSRF in a function hooked to admin_init, allowing unauthenticated users to downgrade the plugin, thus leading to Reflected or Stored XSS, as previous versions have such vulnerabilities.
Severity CVSS v4.0: Pending analysis
Last modification:
18/06/2025

CVE-2023-6532
Publication date:
08/01/2024
The WP Blogs&amp;#39; Planetarium WordPress plugin through 1.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
Severity CVSS v4.0: Pending analysis
Last modification:
18/06/2025
Subscribe to Vulnerabilities