Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-4755
Publication date:
04/09/2023
Use After Free in GitHub repository gpac/gpac prior to 2.3-DEV.
Severity CVSS v4.0: Pending analysis
Last modification:
06/09/2023

CVE-2023-4752
Publication date:
04/09/2023
Use After Free in GitHub repository vim/vim prior to 9.0.1858.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2023-4733
Publication date:
04/09/2023
Use After Free in GitHub repository vim/vim prior to 9.0.1840.
Severity CVSS v4.0: Pending analysis
Last modification:
01/02/2024

CVE-2023-3222
Publication date:
04/09/2023
Vulnerability in the password recovery mechanism of Password Recovery plugin for Roundcube, in its 1.2 version, which could allow a remote attacker to change an existing user´s password by adding a 6-digit numeric token. An attacker could create an automatic script to test all possible values because the platform has no limit on the number of requests.
Severity CVSS v4.0: Pending analysis
Last modification:
08/09/2023

CVE-2023-3221
Publication date:
04/09/2023
User enumeration vulnerability in Password Recovery plugin 1.2 version for Roundcube, which could allow a remote attacker to create a test script against the password recovery function to enumerate all users in the database.
Severity CVSS v4.0: Pending analysis
Last modification:
08/09/2023

CVE-2023-4269
Publication date:
04/09/2023
The User Activity Log WordPress plugin before 1.6.6 lacks proper authorisation when exporting its activity logs, allowing any authenticated users, such as subscriber to perform such action and retrieve PII such as email addresses.
Severity CVSS v4.0: Pending analysis
Last modification:
23/04/2025

CVE-2023-4019
Publication date:
04/09/2023
The Media from FTP WordPress plugin before 11.17 does not properly limit who can use the plugin, which may allow users with author+ privileges to move files around, like wp-config.php, which may lead to RCE in some cases.
Severity CVSS v4.0: Pending analysis
Last modification:
23/04/2025

CVE-2023-4059
Publication date:
04/09/2023
The Profile Builder WordPress plugin before 3.9.8 lacks authorisation and CSRF in its page creation function which allows unauthenticated users to create the register, log-in and edit-profile pages from the plugin on the blog
Severity CVSS v4.0: Pending analysis
Last modification:
06/03/2025

CVE-2023-4151
Publication date:
04/09/2023
The Store Locator WordPress plugin before 1.4.13 does not sanitise and escape an invalid nonce before outputting it back in an AJAX response, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
Severity CVSS v4.0: Pending analysis
Last modification:
06/03/2025

CVE-2023-4216
Publication date:
04/09/2023
The Orders Tracking for WooCommerce WordPress plugin before 1.2.6 doesn't validate the file_url parameter when importing a CSV file, allowing high privilege users with the manage_woocommerce capability to access any file on the web server via a Traversal attack. The content retrieved is however limited to the first line of the file.
Severity CVSS v4.0: Pending analysis
Last modification:
23/04/2025

CVE-2023-4253
Publication date:
04/09/2023
The AI ChatBot WordPress plugin before 4.7.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2025

CVE-2023-4254
Publication date:
04/09/2023
The AI ChatBot WordPress plugin before 4.7.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2025
Subscribe to Vulnerabilities