Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-22741

Publication date:

19/01/2023

Sofia-SIP is an open-source SIP User-Agent library, compliant with the IETF RFC3261 specification. In affected versions Sofia-SIP **lacks both message length and attributes length checks** when it handles STUN packets, leading to controllable heap-over-flow. For example, in stun_parse_attribute(), after we get the attribute&#39;s type and length value, the length will be used directly to copy from the heap, regardless of the message&#39;s left size. Since network users control the overflowed length, and the data is written to heap chunks later, attackers may achieve remote code execution by heap grooming or other exploitation methods. The bug was introduced 16 years ago in sofia-sip 1.12.4 (plus some patches through 12/21/2006) to in tree libs with git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@3774 d0543943-73ff-0310-b7d9-9358b9ac24b2. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Severity CVSS v4.0: Pending analysis

Last modification:

24/05/2023

CVE-2023-0126

Publication date:

19/01/2023

Pre-authentication path traversal vulnerability in SMA1000 firmware version 12.4.2, which allows an unauthenticated attacker to access arbitrary files and directories stored outside the web root directory.

Severity CVSS v4.0: Pending analysis

Last modification:

03/04/2025

CVE-2022-47766

Publication date:

19/01/2023

PopojiCMS v2.0.1 backend plugin function has a file upload vulnerability.

Severity CVSS v4.0: Pending analysis

Last modification:

03/04/2025

CVE-2022-46890

Publication date:

19/01/2023

Weak access control in NexusPHP before 1.7.33 allows a remote authenticated user to edit any post in the forum (this is caused by a lack of checks performed by the /forums.php?action=post page).

Severity CVSS v4.0: Pending analysis

Last modification:

03/04/2025

CVE-2022-46889

Publication date:

19/01/2023

A persistent cross-site scripting (XSS) vulnerability in NexusPHP before 1.7.33 allows remote authenticated attackers to permanently inject arbitrary web script or HTML via the title parameter used in /subtitles.php.

Severity CVSS v4.0: Pending analysis

Last modification:

03/04/2025

CVE-2022-46888

Publication date:

19/01/2023

Multiple reflective cross-site scripting (XSS) vulnerabilities in NexusPHP before 1.7.33 allow remote attackers to inject arbitrary web script or HTML via the secret parameter in /login.php; q parameter in /user-ban-log.php; query parameter in /log.php; text parameter in /moresmiles.php; q parameter in myhr.php; or id parameter in /viewrequests.php.

Severity CVSS v4.0: Pending analysis

Last modification:

03/04/2025

CVE-2022-46887

Publication date:

19/01/2023

Multiple SQL injection vulnerabilities in NexusPHP before 1.7.33 allow remote attackers to execute arbitrary SQL commands via the conuser[] parameter in takeconfirm.php; the delcheater parameter in cheaterbox.php; or the usernw parameter in nowarn.php.

Severity CVSS v4.0: Pending analysis

Last modification:

03/04/2025

CVE-2022-47745

Publication date:

19/01/2023

ZenTao 16.4 to 18.0.beta1 is vulnerable to SQL injection. After logging in with any user, you can complete SQL injection by constructing a special request and sending it to function importNotice.

Severity CVSS v4.0: Pending analysis

Last modification:

04/04/2025

CVE-2023-0406

Publication date:

19/01/2023

Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/modoboa prior to 2.0.4.

Severity CVSS v4.0: Pending analysis

Last modification:

27/01/2023

CVE-2022-47740

Publication date:

19/01/2023

Seltmann GmbH Content Management System 6 is vulnerable to SQL Injection via /index.php.

Severity CVSS v4.0: Pending analysis

Last modification:

04/04/2025

CVE-2022-47195

Publication date:

19/01/2023

An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the `facebook` field for a user.

Severity CVSS v4.0: Pending analysis

Last modification:

04/11/2025

CVE-2022-47196

Publication date:

19/01/2023

Severity CVSS v4.0: Pending analysis

Last modification:

04/11/2025

Subscribe to Vulnerabilities