Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-36158
Publication date:
26/09/2022
Contec FXA3200 version 1.13.00 and under suffers from Insecure Permissions in the Wireless LAN Manager interface which allows malicious actors to execute Linux commands with root privilege via a hidden web page (/usr/www/ja/mnt_cmd.cgi).
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2025

CVE-2022-38553
Publication date:
26/09/2022
Academy Learning Management System before v5.9.1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the Search parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2025

CVE-2022-21169
Publication date:
26/09/2022
The package express-xss-sanitizer before 1.1.3 are vulnerable to Prototype Pollution via the allowedTags attribute, allowing the attacker to bypass xss sanitization.
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2025

CVE-2022-21797
Publication date:
26/09/2022
The package joblib from 0 and before 1.2.0 are vulnerable to Arbitrary Code Execution via the pre_dispatch flag in Parallel() class due to the eval() statement.
Severity CVSS v4.0: Pending analysis
Last modification:
23/08/2024

CVE-2022-41347
Publication date:
26/09/2022
An issue was discovered in Zimbra Collaboration (ZCS) 8.8.x and 9.x (e.g., 8.8.15). The Sudo configuration permits the zimbra user to execute the NGINX binary as root with arbitrary parameters. As part of its intended functionality, NGINX can load a user-defined configuration file, which includes plugins in the form of .so files, which also execute as root.
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2025

CVE-2022-41352
Publication date:
26/09/2022
An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0. An attacker can upload arbitrary files through amavis via a cpio loophole (extraction to /opt/zimbra/jetty/webapps/zimbra/public) that can lead to incorrect access to any other user accounts. Zimbra recommends pax over cpio. Also, pax is in the prerequisites of Zimbra on Ubuntu; however, pax is no longer part of a default Red Hat installation after RHEL 6 (or CentOS 6). Once pax is installed, amavis automatically prefers it over cpio.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2022-41343
Publication date:
25/09/2022
registerFont in FontMetrics.php in Dompdf before 2.0.1 allows remote file inclusion because a URI validation failure does not halt font registration, as demonstrated by a @font-face rule.
Severity CVSS v4.0: Pending analysis
Last modification:
22/05/2025

CVE-2022-3297
Publication date:
25/09/2022
Use After Free in GitHub repository vim/vim prior to 9.0.0579.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-3296
Publication date:
25/09/2022
Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0577.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-41340
Publication date:
24/09/2022
The secp256k1-js package before 1.1.0 for Node.js implements ECDSA without required r and s validation, leading to signature forgery.
Severity CVSS v4.0: Pending analysis
Last modification:
22/05/2025

CVE-2022-23463
Publication date:
24/09/2022
Nepxion Discovery is a solution for Spring Cloud. Discover is vulnerable to SpEL Injection in discovery-commons. DiscoveryExpressionResolver’s eval method is evaluating expression with a StandardEvaluationContext, allowing the expression to reach and interact with Java classes such as java.lang.Runtime, leading to Remote Code Execution. There is no patch available for this issue at time of publication. There are no known workarounds.
Severity CVSS v4.0: Pending analysis
Last modification:
28/09/2022

CVE-2022-23464
Publication date:
24/09/2022
Nepxion Discovery is a solution for Spring Cloud. Discovery is vulnerable to a potential Server-Side Request Forgery (SSRF). RouterResourceImpl uses RestTemplate’s getForEntity to retrieve the contents of a URL containing user-controlled input, potentially resulting in Information Disclosure. There is no patch available for this issue at time of publication. There are no known workarounds.
Severity CVSS v4.0: Pending analysis
Last modification:
28/09/2022
Subscribe to Vulnerabilities