Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-48310
Publication date:
01/03/2023
An information disclosure vulnerability allows sensitive key material to be included in technical support archives in Sophos Connect versions older than 2.2.90.
Severity CVSS v4.0: Pending analysis
Last modification:
07/03/2025

CVE-2022-4901
Publication date:
01/03/2023
Multiple stored XSS vulnerabilities in Sophos Connect versions older than 2.2.90 allow Javascript code to run in the local UI via a malicious VPN configuration that must be manually loaded by the victim.
Severity CVSS v4.0: Pending analysis
Last modification:
07/03/2025

CVE-2022-3294
Publication date:
01/03/2023
Users may have access to secure endpoints in the control plane network. Kubernetes clusters are only affected if an untrusted user can modify Node objects and send proxy requests to them. Kubernetes supports node proxying, which allows clients of kube-apiserver to access endpoints of a Kubelet to establish connections to Pods, retrieve container logs, and more. While Kubernetes already validates the proxying address for Nodes, a bug in kube-apiserver made it possible to bypass this validation. Bypassing this validation could allow authenticated requests destined for Nodes to to the API server's private network.
Severity CVSS v4.0: Pending analysis
Last modification:
05/05/2023

CVE-2022-3162
Publication date:
01/03/2023
Users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group without authorization. Clusters are impacted by this vulnerability if all of the following are true: 1. There are 2+ CustomResourceDefinitions sharing the same API group 2. Users have cluster-wide list or watch authorization on one of those custom resources. 3. The same users are not authorized to read another custom resource in the same API group.
Severity CVSS v4.0: Pending analysis
Last modification:
11/05/2023

CVE-2023-23000
Publication date:
01/03/2023
In the Linux kernel before 5.17, drivers/phy/tegra/xusb.c mishandles the tegra_xusb_find_port_node return value. Callers expect NULL in the error case, but an error pointer is used.
Severity CVSS v4.0: Pending analysis
Last modification:
20/03/2025

CVE-2023-1127
Publication date:
01/03/2023
Divide By Zero in GitHub repository vim/vim prior to 9.0.1367.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2023-0460
Publication date:
01/03/2023
The YouTube Embedded 1.2 SDK binds to a service within the YouTube Main App. After binding, a remote context is created with the flags Context.CONTEXT_INCLUDE_CODE | Context.CONTEXT_IGNORE_SECURITY. This allows the client app to remotely load code from YouTube Main App by retrieving the Main App’s ClassLoader. A potential vulnerability in the binding logic used by the client SDK where the SDK ends up calling bindService() on a malicious app rather than YT Main App. This creates a vulnerability where the SDK can load the malicious app’s ClassLoader instead, allowing the malicious app to load arbitrary code into the calling app whenever the embedded SDK is invoked.<br /> <br /> In order to trigger this vulnerability, an attacker must masquerade the Youtube app and install it on a device, have a second app that uses the Embedded player and typically distribute both to the victim outside of the Play Store.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-39228
Publication date:
01/03/2023
vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. vantage6 does not inform the user of wrong username/password combination if the username actually exists. This is an attempt to prevent bots from obtaining usernames. However, if a wrong password is entered a number of times, the user account is blocked temporarily. This issue has been fixed in version 3.8.0.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2023-0594
Publication date:
01/03/2023
Grafana is an open-source platform for monitoring and observability. <br /> <br /> Starting with the 7.0 branch, Grafana had a stored XSS vulnerability in the trace view visualization. <br /> <br /> The stored XSS vulnerability was possible due the value of a span&amp;#39;s attributes/resources were not properly sanitized and this will be rendered when the span&amp;#39;s attributes/resources are expanded.<br /> <br /> An attacker needs to have the Editor role in order to change the value of a trace view visualization to contain JavaScript. <br /> <br /> This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. <br /> <br /> Users may upgrade to version 8.5.21, 9.2.13 and 9.3.8 to receive a fix. <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-36021
Publication date:
01/03/2023
Redis is an in-memory database that persists on disk. Authenticated users can use string matching commands (like `SCAN` or `KEYS`) with a specially crafted pattern to trigger a denial-of-service attack on Redis, causing it to hang and consume 100% CPU time. The problem is fixed in Redis versions 6.0.18, 6.2.11, 7.0.9.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-45608
Publication date:
01/03/2023
An issue was discovered in ThingsBoard 3.4.1, allows low privileged attackers (CUSTOMER_USER) to gain escalated privileges (vertically) and become an Administrator (TENANT_ADMIN) or (SYS_ADMIN) on the web application. It is important to note that in order to accomplish this, the attacker must know the corresponding API&amp;#39;s parameter (authority : value).
Severity CVSS v4.0: Pending analysis
Last modification:
07/03/2025

CVE-2023-0507
Publication date:
01/03/2023
Grafana is an open-source platform for monitoring and observability. <br /> <br /> Starting with the 8.1 branch, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. <br /> <br /> The stored XSS vulnerability was possible due to map attributions weren&amp;#39;t properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance. <br /> <br /> An attacker needs to have the Editor role in order to change a panel to include a map attribution containing JavaScript. <br /> <br /> This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. <br /> <br /> Users may upgrade to version 8.5.21, 9.2.13 and 9.3.8 to receive a fix.
Severity CVSS v4.0: Pending analysis
Last modification:
13/02/2025
Subscribe to Vulnerabilities