Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-48087
Publication date:
15/11/2023
xxl-job-admin 2.4.0 is vulnerable to Insecure Permissions via /xxl-job-admin/joblog/clearLog and /xxl-job-admin/joblog/logDetailCat.
Severity CVSS v4.0: Pending analysis
Last modification:
21/11/2023

CVE-2023-48088
Publication date:
15/11/2023
xxl-job-admin 2.4.0 is vulnerable to Cross Site Scripting (XSS) via /xxl-job-admin/joblog/logDetailPage.
Severity CVSS v4.0: Pending analysis
Last modification:
21/11/2023

CVE-2023-48089
Publication date:
15/11/2023
xxl-job-admin 2.4.0 is vulnerable to Remote Code Execution (RCE) via /xxl-job-admin/jobcode/save.
Severity CVSS v4.0: Pending analysis
Last modification:
29/08/2024

CVE-2023-5720
Publication date:
15/11/2023
A flaw was found in Quarkus, where it does not properly sanitize artifacts created using the Gradle plugin, allowing certain build system information to remain. This flaw allows an attacker to access potentially sensitive information from the build system within the application.
Severity CVSS v4.0: Pending analysis
Last modification:
30/11/2023

CVE-2023-5676
Publication date:
15/11/2023
In Eclipse OpenJ9 before version 0.41.0, the JVM can be forced into an infinite busy hang on a spinlock or a segmentation fault if a shutdown signal (SIGTERM, SIGINT or SIGHUP) is received before the JVM has finished initializing.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2023-4602
Publication date:
15/11/2023
The Namaste! LMS plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the &amp;#39;course_id&amp;#39; parameter in versions up to, and including, 2.6.1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity CVSS v4.0: Pending analysis
Last modification:
22/11/2023

CVE-2023-5245
Publication date:
15/11/2023
FileUtil.extract() enumerates all zip file entries and extracts each file without validating whether file paths in the archive are outside the intended directory.<br /> <br /> When creating an instance of TensorflowModel using the saved_model format and an exported tensorflow model, the apply() function invokes the vulnerable implementation of FileUtil.extract().<br /> <br /> Arbitrary file creation can directly lead to code execution<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
22/11/2023

CVE-2023-23549
Publication date:
15/11/2023
Improper Input Validation in Checkmk
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2024

CVE-2023-34062
Publication date:
15/11/2023
In Reactor Netty HTTP Server, versions 1.1.x prior to 1.1.13 and versions 1.0.x prior to 1.0.39, a malicious user can send a request using a specially crafted URL that can lead to a directory traversal attack.<br /> <br /> Specifically, an application is vulnerable if Reactor Netty HTTP Server is configured to serve static resources.<br /> <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
21/11/2023

CVE-2023-46672
Publication date:
15/11/2023
An issue was identified by Elastic whereby sensitive information is recorded in Logstash logs under specific circumstances.<br /> <br /> The prerequisites for the manifestation of this issue are:<br /> <br /> * Logstash is configured to log in JSON format https://www.elastic.co/guide/en/logstash/current/running-logstash-command-line.html , which is not the default logging format.<br /> <br /> <br /> * Sensitive data is stored in the Logstash keystore and referenced as a variable in Logstash configuration.
Severity CVSS v4.0: Pending analysis
Last modification:
13/02/2025

CVE-2023-4889
Publication date:
15/11/2023
The Shareaholic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via &amp;#39;shareaholic&amp;#39; shortcode in versions up to, and including, 9.7.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
21/11/2023

CVE-2023-6133
Publication date:
15/11/2023
The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient blacklisting on the &amp;#39;forminator_allowed_mime_types&amp;#39; function in versions up to, and including, 1.27.0. This makes it possible for authenticated attackers with administrator-level capabilities or above to upload arbitrary files on the affected site&amp;#39;s server, but due to the htaccess configuration, remote code cannot be executed.
Severity CVSS v4.0: Pending analysis
Last modification:
30/11/2023
Subscribe to Vulnerabilities