Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-26546
Publication date:
02/05/2023
European Chemicals Agency IUCLID before 6.27.6 allows remote authenticated users to execute arbitrary code via Server Side Template Injection (SSTI) with a crafted template file. The attacker must have template manager permission.
Severity CVSS v4.0: Pending analysis
Last modification:
30/01/2025

CVE-2023-26089
Publication date:
02/05/2023
European Chemicals Agency IUCLID 6.x before 6.27.6 allows authentication bypass because a weak hard-coded secret is used for JWT signing. The affected versions are 5.15.0 through 6.27.5.
Severity CVSS v4.0: Pending analysis
Last modification:
30/01/2025

CVE-2022-47878
Publication date:
02/05/2023
Incorrect input validation for the default-storage-path in the settings page in Jedox 2020.2.5 allows remote, authenticated users to specify the location as Webroot directory. Consecutive file uploads can lead to the execution of arbitrary code. NOTE: The vendor states that the vulnerability affects installations running version 22.2 or earlier. The issue was resolved with the version 22.3 and later versions are not affected. Additionally, the vendor states that this vulnerability affects on-premises deployments only and that it does not impact cloud-hosted or SaaS environments.
Severity CVSS v4.0: Pending analysis
Last modification:
06/11/2025

CVE-2023-30861
Publication date:
02/05/2023
Flask is a lightweight WSGI web application framework. When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches `Set-Cookie` headers, it may send one client&amp;#39;s `session` cookie to other clients. The severity depends on the application&amp;#39;s use of the session and the proxy&amp;#39;s behavior regarding cookies. The risk depends on all these conditions being met.<br /> <br /> 1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies.<br /> 2. The application sets `session.permanent = True`<br /> 3. The application does not access or modify the session at any point during a request.<br /> 4. `SESSION_REFRESH_EACH_REQUEST` enabled (the default).<br /> 5. The application does not set a `Cache-Control` header to indicate that a page is private or should not be cached.<br /> <br /> This happens because vulnerable versions of Flask only set the `Vary: Cookie` header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. This issue has been fixed in versions 2.3.2 and 2.2.5.
Severity CVSS v4.0: Pending analysis
Last modification:
20/08/2023

CVE-2023-29918
Publication date:
02/05/2023
RosarioSIS 10.8.4 is vulnerable to CSV injection via the Periods Module.
Severity CVSS v4.0: Pending analysis
Last modification:
30/01/2025

CVE-2023-29868
Publication date:
02/05/2023
Zammad 5.3.x (Fixed in 5.4.0) is vulnerable to Incorrect Access Control. An authenticated attacker with agent and customer roles could perform unauthorized changes on articles where they only have customer permissions.
Severity CVSS v4.0: Pending analysis
Last modification:
30/01/2025

CVE-2023-29867
Publication date:
02/05/2023
Zammad 5.3.x (Fixed 5.4.0) is vulnerable to Incorrect Access Control. An authenticated attacker could gain information about linked accounts of users involved in their tickets using the Zammad API.
Severity CVSS v4.0: Pending analysis
Last modification:
30/01/2025

CVE-2023-29856
Publication date:
02/05/2023
D-Link DIR-868L Hardware version A1, firmware version 1.12 is vulnerable to Buffer Overflow. The vulnerability is in scandir.sgi binary.
Severity CVSS v4.0: Pending analysis
Last modification:
02/08/2024

CVE-2023-2479
Publication date:
02/05/2023
OS Command Injection in GitHub repository appium/appium-desktop prior to v1.22.3-4.
Severity CVSS v4.0: Pending analysis
Last modification:
17/05/2023

CVE-2023-2477
Publication date:
02/05/2023
A vulnerability was found in Funadmin up to 3.2.3. It has been declared as problematic. Affected by this vulnerability is the function tagLoad of the file Cx.php. The manipulation of the argument file leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-227869 was assigned to this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
17/05/2024

CVE-2023-2476
Publication date:
02/05/2023
A vulnerability was found in Dromara J2eeFAST up to 2.6.0. It has been classified as problematic. Affected is an unknown function of the component Announcement Handler. The manipulation of the argument 系统工具/公告管理 leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The name of the patch is 7a9e1a00e3329fdc0ae05f7a8257cce77037134d. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-227868.
Severity CVSS v4.0: Pending analysis
Last modification:
17/05/2024

CVE-2023-2445
Publication date:
02/05/2023
Improper access control in Subscriptions Folder path filter in Devolutions Server 2023.1.1 and earlier allows attackers with administrator privileges to retrieve usage information on folders in user vaults via a specific folder name.
Severity CVSS v4.0: Pending analysis
Last modification:
30/01/2025
Subscribe to Vulnerabilities