Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-22893
Publication date:
19/04/2023
Strapi through 4.5.5 does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login provider is used for authentication. A remote attacker could forge an ID token that is signed using the 'None' type algorithm to bypass authentication and impersonate any user that use AWS Cognito for authentication.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2025

CVE-2023-22894
Publication date:
19/04/2023
Strapi through 4.5.5 allows attackers (with access to the admin panel) to discover sensitive user details by exploiting the query filter. The attacker can filter users by columns that contain sensitive information and infer a value from API responses. If the attacker has super admin access, then this can be exploited to discover the password hash and password reset token of all users. If the attacker has admin panel access to an account with permission to access the username and email of API users with a lower privileged role (e.g., Editor or Author), then this can be exploited to discover sensitive information for all API users but not other admin accounts.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2025

CVE-2023-29586
Publication date:
19/04/2023
Code Sector TeraCopy 3.9.7 does not perform proper access validation on the source folder during a copy operation. This leads to Arbitrary File Read by allowing any user to copy any directory in the system to a directory they control. NOTE: the Supplier disputes this because only admin users can copy arbitrary folders, and because the 143984 reference is about a different concern (unrelated to directory copying) that was fixed in 3.5b.
Severity CVSS v4.0: Pending analysis
Last modification:
05/02/2025

CVE-2023-29923
Publication date:
19/04/2023
PowerJob V4.3.1 is vulnerable to Insecure Permissions. via the list job interface.
Severity CVSS v4.0: Pending analysis
Last modification:
05/02/2025

CVE-2023-27777
Publication date:
19/04/2023
Cross-site scripting (XSS) vulnerability was discovered in Online Jewelry Shop v1.0 that allows attackers to execute arbitrary script via a crafted URL.
Severity CVSS v4.0: Pending analysis
Last modification:
05/02/2025

CVE-2023-27776
Publication date:
19/04/2023
A stored cross-site scripting (XSS) vulnerability in /index.php?page=category_list of Online Jewelry Shop v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Category Name parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
05/02/2025

CVE-2023-29921
Publication date:
19/04/2023
PowerJob V4.3.1 is vulnerable to Incorrect Access Control via the create app interface.
Severity CVSS v4.0: Pending analysis
Last modification:
05/02/2025

CVE-2023-25760
Publication date:
19/04/2023
Incorrect Access Control in Tripleplay Platform releases prior to Caveman 3.4.0 allows authenticated user to modify other users passwords via a crafted request payload
Severity CVSS v4.0: Pending analysis
Last modification:
05/02/2025

CVE-2023-30463
Publication date:
19/04/2023
Altran picoTCP through 1.7.0 allows memory corruption (and subsequent denial of service) because of an integer overflow in pico_ipv6_alloc when processing large ICMPv6 packets. This affects installations with Ethernet support in which a packet size greater than 65495 may occur.
Severity CVSS v4.0: Pending analysis
Last modification:
05/02/2025

CVE-2023-26599
Publication date:
19/04/2023
XSS vulnerability in TripleSign in Tripleplay Platform releases prior to Caveman 3.4.0 allows attackers to inject client-side code to run as an authenticated user via a crafted link.
Severity CVSS v4.0: Pending analysis
Last modification:
05/02/2025

CVE-2023-25759
Publication date:
19/04/2023
OS Command Injection in TripleData Reporting Engine in Tripleplay Platform releases prior to Caveman 3.4.0 allows authenticated users to run unprivileged OS level commands via a crafted request payload.
Severity CVSS v4.0: Pending analysis
Last modification:
05/02/2025

CVE-2022-38125
Publication date:
19/04/2023
Improper Restriction of Communication Channel to Intended Endpoints vulnerability in Secomea SiteManager (FTP Agent modules) allows Exploiting Trust in Client.
Severity CVSS v4.0: Pending analysis
Last modification:
05/02/2025
Subscribe to Vulnerabilities