Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-3487
Publication date:
20/10/2023
An integer overflow in Silicon Labs Gecko Bootloader version 4.3.1 and earlier allows unbounded memory access when reading from or writing to storage slots.
Severity CVSS v4.0: Pending analysis
Last modification:
25/09/2024

CVE-2023-46287
Publication date:
20/10/2023
XSS exists in NagVis before 1.9.38 via the select function in share/server/core/functions/html.php.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2023-5618
Publication date:
20/10/2023
The Modern Footnotes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode in versions up to, and including, 1.4.16 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2023-34045
Publication date:
20/10/2023
VMware Fusion(13.x prior to 13.5) contains a local privilege escalation vulnerability that occurs during <br /> installation for the first time (the user needs to drag or copy the <br /> application to a folder from the &amp;#39;.dmg&amp;#39; volume) or when installing an <br /> upgrade. A malicious actor with local non-administrative user privileges may <br /> exploit this vulnerability to escalate privileges to root on the system <br /> where Fusion is installed or being installed for the first time.
Severity CVSS v4.0: Pending analysis
Last modification:
07/03/2025

CVE-2023-44256
Publication date:
20/10/2023
A server-side request forgery vulnerability [CWE-918] in Fortinet FortiAnalyzer version 7.4.0, version 7.2.0 through 7.2.3 and before 7.0.8 and FortiManager version 7.4.0, version 7.2.0 through 7.2.3 and before 7.0.8 allows a remote attacker with low privileges to view sensitive data from internal servers or perform a local port scan via a crafted HTTP request.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2023-44483
Publication date:
20/10/2023
All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are recommended to upgrade to version 2.2.6, 2.3.4, or 3.0.3, which fixes this issue.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2023-34044
Publication date:
20/10/2023
VMware Workstation( 17.x prior to 17.5) and Fusion(13.x prior to 13.5) contain an out-of-bounds <br /> read vulnerability that exists in the functionality for sharing host <br /> Bluetooth devices with the virtual machine. A malicious actor with local administrative privileges on a virtual <br /> machine may be able to read privileged information contained in <br /> hypervisor memory from a virtual machine.
Severity CVSS v4.0: Pending analysis
Last modification:
28/10/2023

CVE-2023-34046
Publication date:
20/10/2023
VMware Fusion(13.x prior to 13.5) contains a TOCTOU (Time-of-check Time-of-use) <br /> vulnerability that occurs during installation for the first time (the <br /> user needs to drag or copy the application to a folder from the &amp;#39;.dmg&amp;#39; <br /> volume) or when installing an upgrade. A malicious actor with local non-administrative user privileges may <br /> exploit this vulnerability to escalate privileges to root on the system <br /> where Fusion is installed or being installed for the first time.
Severity CVSS v4.0: Pending analysis
Last modification:
07/03/2025

CVE-2023-5086
Publication date:
20/10/2023
The Copy Anything to Clipboard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via &amp;#39;copy&amp;#39; shortcode in versions up to, and including, 2.6.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2023-5109
Publication date:
20/10/2023
The WP Mailto Links – Protect Email Addresses plugin for WordPress is vulnerable to Stored Cross-Site Scripting via &amp;#39;wpml_mailto&amp;#39; shortcode in versions up to, and including, 3.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This was partially patched in version 3.1.3 and fully patched in version 3.1.4.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2023-5121
Publication date:
20/10/2023
The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings (the backup path parameter) in versions up to, and including, 0.9.89 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2023-5231
Publication date:
20/10/2023
The Magic Action Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 2.17.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023
Subscribe to Vulnerabilities