Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-34409
Publication date:
06/06/2023
In Percona Monitoring and Management (PMM) server 2.x before 2.37.1, the authenticate function in auth_server.go does not properly formalize and sanitize URL paths to reject path traversal attempts. This allows an unauthenticated remote user, when a crafted POST request is made against unauthenticated API routes, to access otherwise protected API routes leading to escalation of privileges and information disclosure.
Severity CVSS v4.0: Pending analysis
Last modification:
08/01/2025

CVE-2023-33477
Publication date:
06/06/2023
In Harmonic NSG 9000-6G devices, an authenticated remote user can obtain source code by directly requesting a special path.
Severity CVSS v4.0: Pending analysis
Last modification:
08/01/2025

CVE-2023-2961
Publication date:
06/06/2023
A segmentation fault flaw was found in the Advancecomp package. This may lead to decreased availability.
Severity CVSS v4.0: Pending analysis
Last modification:
07/01/2025

CVE-2023-2603
Publication date:
06/06/2023
A vulnerability was found in libcap. This issue occurs in the _libcap_strdup() function and can lead to an integer overflow if the input string is close to 4GiB.
Severity CVSS v4.0: Pending analysis
Last modification:
02/12/2025

CVE-2023-2157
Publication date:
06/06/2023
A heap-based buffer overflow vulnerability was found in the ImageMagick package that can lead to the application crashing.
Severity CVSS v4.0: Pending analysis
Last modification:
07/01/2025

CVE-2023-2602
Publication date:
06/06/2023
A vulnerability was found in the pthread_create() function in libcap. This issue may allow a malicious actor to use cause __real_pthread_create() to return an error, which can exhaust the process memory.
Severity CVSS v4.0: Pending analysis
Last modification:
30/11/2023

CVE-2023-2253
Publication date:
06/06/2023
A flaw was found in the `/v2/_catalog` endpoint in distribution/distribution, which accepts a parameter to control the maximum number of records returned (query string: `n`). This vulnerability allows a malicious user to submit an unreasonably large value for `n,` causing the allocation of a massive string array, possibly causing a denial of service through excessive use of memory.
Severity CVSS v4.0: Pending analysis
Last modification:
07/01/2025

CVE-2023-29632
Publication date:
06/06/2023
PrestaShop jmspagebuilder 3.x is vulnerable to SQL Injection via ajax_jmspagebuilder.php.
Severity CVSS v4.0: Pending analysis
Last modification:
08/01/2025

CVE-2023-1621
Publication date:
06/06/2023
An issue has been discovered in GitLab EE affecting all versions starting from 12.0 before 15.10.5, all versions starting from 15.11 before 15.11.1. A malicious group member may continue to commit to projects even from a restricted IP address.
Severity CVSS v4.0: Pending analysis
Last modification:
13/06/2023

CVE-2023-33977
Publication date:
06/06/2023
Kiwi TCMS is an open source test management system for both manual and automated testing. Kiwi TCMS allows users to upload attachments to test plans, test cases, etc. Earlier versions of Kiwi TCMS had introduced upload validators in order to prevent potentially dangerous files from being uploaded and Content-Security-Policy definition to prevent cross-site-scripting attacks. The upload validation checks were not 100% robust which left the possibility to circumvent them and upload a potentially dangerous file which allows execution of arbitrary JavaScript in the browser. Additionally we've discovered that Nginx's `proxy_pass` directive will strip some headers negating protections built into Kiwi TCMS when served behind a reverse proxy. This issue has been addressed in version 12.4. Users are advised to upgrade. Users unable to upgrade who are serving Kiwi TCMS behind a reverse proxy should make sure that additional header values are still passed to the client browser. If they aren't redefining them inside the proxy configuration.
Severity CVSS v4.0: Pending analysis
Last modification:
14/06/2023

CVE-2023-33652
Publication date:
06/06/2023
Sitecore Experience Platform (XP) v9.3 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the component /sitecore/shell/Invoke.aspx.
Severity CVSS v4.0: Pending analysis
Last modification:
08/01/2025

CVE-2023-33653
Publication date:
06/06/2023
Sitecore Experience Platform (XP) v9.3 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the component /Applications/Content%20Manager/Execute.aspx?cmd=convert&mode=HTML.
Severity CVSS v4.0: Pending analysis
Last modification:
08/01/2025
Subscribe to Vulnerabilities