Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-31135
Publication date:
17/05/2023
Dgraph is an open source distributed GraphQL database. Existing Dgraph audit logs are vulnerable to brute force attacks due to nonce collisions. The first 12 bytes come from a baseIv which is initialized when an audit log is created. The last 4 bytes come from the length of the log line being encrypted. This is problematic because two log lines will often have the same length, so due to these collisions we are reusing the same nonce many times. All audit logs generated by versions of Dgraph
Severity CVSS v4.0: Pending analysis
Last modification:
25/05/2023

CVE-2023-26044
Publication date:
17/05/2023
react/http is an event-driven, streaming HTTP client and server implementation for ReactPHP. Previous versions of ReactPHP&amp;#39;s HTTP server component contain a potential DoS vulnerability that can cause high CPU load when processing large HTTP request bodies. This vulnerability has little to no impact on the default configuration, but can be exploited when explicitly using the RequestBodyBufferMiddleware with very large settings. This might lead to consuming large amounts of CPU time for processing requests and significantly delay or slow down the processing of legitimate user requests. This issue has been addressed in release 1.9.0. Users are advised to upgrade. Users unable to upgrade may keep the request body limited using RequestBodyBufferMiddleware with a sensible value which should mitigate the issue. An infrastructure or DevOps workaround could be to place a reverse proxy in front of the ReactPHP HTTP server to filter out any excessive HTTP request bodies.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
25/05/2023

CVE-2023-24805
Publication date:
17/05/2023
cups-filters contains backends, filters, and other software required to get the cups printing service working on operating systems other than macos. If you use the Backend Error Handler (beh) to create an accessible network printer, this security vulnerability can cause remote code execution. `beh.c` contains the line `retval = system(cmdline) &gt;&gt; 8;` which calls the `system` command with the operand `cmdline`. `cmdline` contains multiple user controlled, unsanitized values. As a result an attacker with network access to the hosted print server can exploit this vulnerability to inject system commands which are executed in the context of the running server. This issue has been addressed in commit `8f2740357` and is expected to be bundled in the next release. Users are advised to upgrade when possible and to restrict access to network printers in the meantime.
Severity CVSS v4.0: Pending analysis
Last modification:
05/01/2024

CVE-2023-2768
Publication date:
17/05/2023
A vulnerability was found in Sucms 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file admin_ads.php?action=add. The manipulation of the argument intro leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-229274 is the identifier assigned to this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
17/05/2024

CVE-2023-2766
Publication date:
17/05/2023
A vulnerability was found in Weaver OA 9.5 and classified as problematic. This issue affects some unknown processing of the file /building/backmgr/urlpage/mobileurl/configfile/jx2_config.ini. The manipulation leads to files or directories accessible. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-229271. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: Pending analysis
Last modification:
25/04/2025

CVE-2023-2765
Publication date:
17/05/2023
A vulnerability has been found in Weaver OA up to 9.5 and classified as problematic. This vulnerability affects unknown code of the file /E-mobile/App/System/File/downfile.php. The manipulation of the argument url leads to absolute path traversal. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-229270 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: Pending analysis
Last modification:
25/04/2025

CVE-2023-22348
Publication date:
17/05/2023
Improper Authorization in RestAPI in Checkmk GmbH&amp;#39;s Checkmk versions
Severity CVSS v4.0: Pending analysis
Last modification:
23/07/2024

CVE-2023-31725
Publication date:
17/05/2023
yasm 1.3.0.55.g101bc was discovered to contain a heap-use-after-free via the function expand_mmac_params at yasm/modules/preprocs/nasm/nasm-pp.c.
Severity CVSS v4.0: Pending analysis
Last modification:
22/01/2025

CVE-2023-31724
Publication date:
17/05/2023
yasm 1.3.0.55.g101bc was discovered to contain a segmentation violation via the function do_directive at /nasm/nasm-pp.c.
Severity CVSS v4.0: Pending analysis
Last modification:
22/01/2025

CVE-2023-31723
Publication date:
17/05/2023
yasm 1.3.0.55.g101bc was discovered to contain a segmentation violation via the function expand_mmac_params at /nasm/nasm-pp.c.
Severity CVSS v4.0: Pending analysis
Last modification:
22/01/2025

CVE-2023-31701
Publication date:
17/05/2023
TP-Link TL-WPA4530 KIT V2 (EU)_170406 and V2 (EU)_161115 is vulnerable to Command Injection via _httpRpmPlcDeviceRemove.
Severity CVSS v4.0: Pending analysis
Last modification:
22/01/2025

CVE-2023-31722
Publication date:
17/05/2023
There exists a heap buffer overflow in nasm 2.16.02rc1 (GitHub commit: b952891).
Severity CVSS v4.0: Pending analysis
Last modification:
22/01/2025
Subscribe to Vulnerabilities