Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-29639
Publication date:
01/05/2023
Cross site scripting (XSS) vulnerability in ZHENFENG13 My-Blog, allows attackers to inject arbitrary web script or HTML via editing an article in the "blog article" page due to the default configuration not utilizing MyBlogUtils.cleanString.
Severity CVSS v4.0: Pending analysis
Last modification:
27/01/2026

CVE-2023-0683
Publication date:
01/05/2023
A valid, authenticated XCC user with read only access may gain elevated privileges through a specifically crafted API call.
Severity CVSS v4.0: Pending analysis
Last modification:
10/05/2023

CVE-2022-46365
Publication date:
01/05/2023
Apache StreamPark 1.0.0 before 2.0.0 When the user successfully logs in, to modify his profile, the username will be passed to the server-layer as a parameter, but not verified whether the user name is the currently logged user and whether the user is legal, This will allow malicious attackers to send any username to modify and reset the account, Users of the affected versions should upgrade to Apache StreamPark 2.0.0 or later.<br /> <br /> <br /> <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
15/10/2024

CVE-2022-48186
Publication date:
01/05/2023
A certificate validation vulnerability exists in the Baiying Android application which could lead to information disclosure.
Severity CVSS v4.0: Pending analysis
Last modification:
30/01/2025

CVE-2022-4568
Publication date:
01/05/2023
A directory permissions management vulnerability in Lenovo System Update may allow elevation of privileges.
Severity CVSS v4.0: Pending analysis
Last modification:
30/01/2025

CVE-2023-25492
Publication date:
01/05/2023
A valid, authenticated user may be able to trigger a denial of service of the XCC web user interface or other undefined behavior through a format string injection vulnerability in a web interface API.
Severity CVSS v4.0: Pending analysis
Last modification:
10/05/2023

CVE-2023-28092
Publication date:
01/05/2023
A potential security vulnerability has been identified in HPE ProLiant RL300 Gen11 Server. The vulnerability could result in the system being vulnerable to exploits by attackers with physical access inside the server chassis.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
10/05/2023

CVE-2022-45802
Publication date:
01/05/2023
Streampark allows any users to upload a jar as application, but there is no mandatory verification of the uploaded file type, causing users to upload some high-risk files, and may upload them to any directory, Users of the affected versions should upgrade to Apache StreamPark 2.0.0 or later<br /> <br /> <br /> <br /> <br /> <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
21/10/2024

CVE-2022-45801
Publication date:
01/05/2023
Apache StreamPark 1.0.0 to 2.0.0 have a LDAP injection vulnerability.<br /> LDAP Injection is an attack used to exploit web based applications<br /> that construct LDAP statements based on user input. When an<br /> application fails to properly sanitize user input, it&amp;#39;s possible to<br /> modify LDAP statements through techniques similar to SQL Injection.<br /> LDAP injection attacks could result in the granting of permissions to<br /> unauthorized queries, and content modification inside the LDAP tree.<br /> This risk may only occur when the user logs in with ldap, and the user<br /> name and password login will not be affected, Users of the affected<br /> versions should upgrade to Apache StreamPark 2.0.0 or later.<br /> <br /> <br /> <br /> <br /> <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
09/05/2023

CVE-2023-30859
Publication date:
01/05/2023
Triton is a Minecraft plugin for Spigot and BungeeCord that helps you translate your Minecraft server. The CustomPayload packet allows you to execute commands on the spigot/bukkit console. When you enable bungee mode in the config it will enable the bungee bridge and the server will begin to broadcast the &amp;#39;triton:main&amp;#39; plugin channel. Using this plugin channel you are able to send a payload packet containing a byte (2) and a string (any spigot command). This could be used to make yourself a server operator and be used to extract other user information through phishing (pretending to be an admin), many servers use essentials so the /geoip command could be available to them, etc. This could also be modified to allow you to set the servers language, set another players language, etc. This issue affects those who have bungee enabled in config. This issue has been fixed in version 3.8.4.
Severity CVSS v4.0: Pending analysis
Last modification:
09/05/2023

CVE-2023-0896
Publication date:
01/05/2023
A default password was reported in Lenovo Smart Clock Essential with Alexa Built In that could allow unauthorized device access to an attacker with local network access.
Severity CVSS v4.0: Pending analysis
Last modification:
09/05/2023

CVE-2023-30061
Publication date:
01/05/2023
D-Link DIR-879 v105A1 is vulnerable to Authentication Bypass via phpcgi.
Severity CVSS v4.0: Pending analysis
Last modification:
30/01/2025
Subscribe to Vulnerabilities