Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-46705
Publication date:
20/11/2023
in OpenHarmony v3.2.2 and prior versions allow a local attacker causes system information leak through type confusion.
Severity CVSS v4.0: Pending analysis
Last modification:
09/09/2024

CVE-2023-47217
Publication date:
20/11/2023
in OpenHarmony v3.2.2 and prior versions allow a local attacker cause DOS through buffer overflow.
Severity CVSS v4.0: Pending analysis
Last modification:
09/09/2024

CVE-2023-3116
Publication date:
20/11/2023
in OpenHarmony v3.2.2 and prior versions allow a local attacker get confidential information or rewrite sensitive file through incorrect default permissions.
Severity CVSS v4.0: Pending analysis
Last modification:
09/09/2024

CVE-2022-46337
Publication date:
20/11/2023
A cleverly devised username might bypass LDAP authentication checks. In <br /> LDAP-authenticated Derby installations, this could let an attacker fill <br /> up the disk by creating junk Derby databases. In LDAP-authenticated <br /> Derby installations, this could also allow the attacker to execute <br /> malware which was visible to and executable by the account which booted <br /> the Derby server. In LDAP-protected databases which weren&amp;#39;t also <br /> protected by SQL GRANT/REVOKE authorization, this vulnerability could <br /> also let an attacker view and corrupt sensitive data and run sensitive <br /> database functions and procedures.<br /> <br /> Mitigation:<br /> <br /> Users should upgrade to Java 21 and Derby 10.17.1.0.<br /> <br /> Alternatively, users who wish to remain on older Java versions should <br /> build their own Derby distribution from one of the release families to <br /> which the fix was backported: 10.16, 10.15, and 10.14. Those are the <br /> releases which correspond, respectively, with Java LTS versions 17, 11, <br /> and 8.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
10/06/2025

CVE-2023-46302
Publication date:
20/11/2023
Apache Software Foundation Apache Submarine has a bug when serializing against yaml. The bug is caused by snakeyaml https://nvd.nist.gov/vuln/detail/CVE-2022-1471 .<br /> <br /> Apache Submarine uses JAXRS to define REST endpoints. In order to<br /> handle YAML requests (using application/yaml content-type), it defines<br /> a YamlEntityProvider entity provider that will process all incoming<br /> YAML requests. In order to unmarshal the request, the readFrom method<br /> is invoked, passing the entityStream containing the user-supplied data in `submarine-server/server-core/src/main/java/org/apache/submarine/server/utils/YamlUtils.java`.<br /> <br /> We have now fixed this issue in the new version by replacing to `jackson-dataformat-yaml`.<br /> This issue affects Apache Submarine: from 0.7.0 before 0.8.0. Users are recommended to upgrade to version 0.8.0, which fixes this issue.<br /> If using the version smaller than 0.8.0 and not want to upgrade, you can try cherry-pick PR https://github.com/apache/submarine/pull/1054 and rebuild the submart-server image to fix this.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
30/11/2023

CVE-2023-3379
Publication date:
20/11/2023
Wago web-based management of multiple products has a vulnerability which allows an local authenticated attacker to change the passwords of other non-admin users and thus to escalate non-root privileges.
Severity CVSS v4.0: Pending analysis
Last modification:
02/10/2024

CVE-2023-46700
Publication date:
20/11/2023
SQL injection vulnerability in LuxCal Web Calendar prior to 5.2.4M (MySQL version) and LuxCal Web Calendar prior to 5.2.4L (SQLite version) allows a remote unauthenticated attacker to execute an arbitrary SQL command by sending a crafted request, and obtain or alter information stored in the database.
Severity CVSS v4.0: Pending analysis
Last modification:
25/11/2023

CVE-2023-47175
Publication date:
20/11/2023
Cross-site scripting vulnerability in LuxCal Web Calendar prior to 5.2.4M (MySQL version) and LuxCal Web Calendar prior to 5.2.4L (SQLite version) allows a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is accessing the product.
Severity CVSS v4.0: Pending analysis
Last modification:
25/11/2023

CVE-2023-5341
Publication date:
19/11/2023
A heap use-after-free flaw was found in coders/bmp.c in ImageMagick.
Severity CVSS v4.0: Pending analysis
Last modification:
07/02/2025

CVE-2023-41129
Publication date:
18/11/2023
Cross-Site Request Forgery (CSRF) vulnerability in Patreon Patreon WordPress.This issue affects Patreon WordPress: from n/a through 1.8.6.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
27/11/2023

CVE-2023-28780
Publication date:
18/11/2023
Cross-Site Request Forgery (CSRF) vulnerability in Yoast Yoast Local Premium.This issue affects Yoast Local Premium: from n/a through 14.8.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
30/11/2023

CVE-2023-31075
Publication date:
18/11/2023
Cross-Site Request Forgery (CSRF) vulnerability in Arshid Easy Hide Login.This issue affects Easy Hide Login: from n/a through 1.0.8.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
30/11/2023
Subscribe to Vulnerabilities