Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-38829
Publication date:
16/09/2022
Tenda RX9_Pro V22.03.02.10 is vulnerable to Buffer Overflow via httpd/setMacFilterCfg.
Severity CVSS v4.0: Pending analysis
Last modification:
17/09/2022

CVE-2022-38828
Publication date:
16/09/2022
TOTOLINK T6 V4.1.5cu.709_B20210518 is vulnerable to command injection via cstecgi.cgi
Severity CVSS v4.0: Pending analysis
Last modification:
08/08/2023

CVE-2022-38827
Publication date:
16/09/2022
TOTOLINK T6 V4.1.5cu.709_B20210518 is vulnerable to Buffer Overflow via cstecgi.cgi
Severity CVSS v4.0: Pending analysis
Last modification:
17/09/2022

CVE-2022-38823
Publication date:
16/09/2022
In TOTOLINK T6 V4.1.5cu.709_B20210518, there is a hard coded password for root in /etc/shadow.sample.
Severity CVSS v4.0: Pending analysis
Last modification:
17/09/2022

CVE-2022-37250
Publication date:
16/09/2022
Craft CMS 4.2.0.1 suffers from Stored Cross Site Scripting (XSS) in /admin/myaccount.
Severity CVSS v4.0: Pending analysis
Last modification:
03/06/2025

CVE-2022-38826
Publication date:
16/09/2022
In TOTOLINK T6 V4.1.5cu.709_B20210518, there is an execute arbitrary command in cstecgi.cgi.
Severity CVSS v4.0: Pending analysis
Last modification:
08/08/2023

CVE-2021-42949
Publication date:
16/09/2022
The component controlla_login function in HotelDruid Hotel Management Software v3.0.3 generates a predictable session token, allowing attackers to bypass authentication via bruteforce attacks.
Severity CVSS v4.0: Pending analysis
Last modification:
03/06/2025

CVE-2022-3176
Publication date:
16/09/2022
There exists a use-after-free in io_uring in the Linux kernel. Signalfd_poll() and binder_poll() use a waitqueue whose lifetime is the current task. It will send a POLLFREE notification to all waiters before the queue is freed. Unfortunately, the io_uring poll doesn't handle POLLFREE. This allows a use-after-free to occur if a signalfd or binder fd is polled with io_uring poll, and the waitqueue gets freed. We recommend upgrading past commit fc78b2fc21f10c4c9c4d5d659a685710ffa63659
Severity CVSS v4.0: Pending analysis
Last modification:
11/04/2023

CVE-2022-38846
Publication date:
16/09/2022
EspoCRM version 7.1.8 is vulnerable to Missing Secure Flag allowing the browser to send plain text cookies over an insecure channel (HTTP). An attacker may capture the cookie from the insecure channel using MITM attack.
Severity CVSS v4.0: Pending analysis
Last modification:
17/09/2022

CVE-2022-38844
Publication date:
16/09/2022
CSV Injection in Create Contacts in EspoCRM 7.1.8 allows remote authenticated users to run system commands via creating contacts with payloads capable of executing system commands. Admin user exporting contacts in CSV file may end up executing the malicious system commands on his system.
Severity CVSS v4.0: Pending analysis
Last modification:
17/09/2022

CVE-2022-38843
Publication date:
16/09/2022
EspoCRM version 7.1.8 is vulnerable to Unrestricted File Upload allowing attackers to upload malicious file with any extension to the server. Attacker may execute these malicious files to run unintended code on the server to compromise the server.
Severity CVSS v4.0: Pending analysis
Last modification:
17/09/2022

CVE-2022-38808
Publication date:
16/09/2022
ywoa v6.1 is vulnerable to SQL Injection via backend/oa/visual/exportExcel.do interface.
Severity CVSS v4.0: Pending analysis
Last modification:
17/09/2022
Subscribe to Vulnerabilities