Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-26540
Publication date:
08/02/2021
Apostrophe Technologies sanitize-html before 2.3.2 does not properly validate the hostnames set by the "allowedIframeHostnames" option when the "allowIframeRelativeUrls" is set to true, which allows attackers to bypass hostname whitelist for iframe element, related using an src value that starts with "/\\example.com".
Severity CVSS v4.0: Pending analysis
Last modification:
01/04/2021

CVE-2021-26539
Publication date:
08/02/2021
Apostrophe Technologies sanitize-html before 2.3.1 does not properly handle internationalized domain name (IDN) which could allow an attacker to bypass hostname whitelist validation set by the "allowedIframeHostnames" option.
Severity CVSS v4.0: Pending analysis
Last modification:
26/04/2022

CVE-2021-26541
Publication date:
08/02/2021
The gitlog function in src/index.ts in gitlog before 4.0.4 has a command injection vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
28/06/2022

CVE-2021-22122
Publication date:
08/02/2021
An improper neutralization of input during web page generation in FortiWeb GUI interface 6.3.0 through 6.3.7 and version before 6.2.4 may allow an unauthenticated, remote attacker to perform a reflected cross site scripting attack (XSS) by injecting malicious payload in different vulnerable API end-points.
Severity CVSS v4.0: Pending analysis
Last modification:
10/02/2021

CVE-2020-6649
Publication date:
08/02/2021
An insufficient session expiration vulnerability in FortiNet's FortiIsolator version 2.0.1 and below may allow an attacker to reuse the unexpired admin user session IDs to gain admin privileges, should the attacker be able to obtain that session ID (via other, hypothetical attacks)
Severity CVSS v4.0: Pending analysis
Last modification:
10/02/2021

CVE-2021-20359
Publication date:
08/02/2021
IBM Cloud Pak for Automation 20.0.3, 20.0.2-IF002 - Business Automation Application Designer Component stores potentially sensitive information in log files that could be obtained by an unauthorized user. IBM X-Force ID: 194966.
Severity CVSS v4.0: Pending analysis
Last modification:
10/02/2021

CVE-2021-20358
Publication date:
08/02/2021
IBM Cloud Pak for Automation 20.0.3, 20.0.2-IF002 stores potentially sensitive information in clear text in API connection log files. This information could be obtained by a user with permissions to read log files. IBM X-Force ID: 194965.
Severity CVSS v4.0: Pending analysis
Last modification:
10/02/2021

CVE-2020-16629
Publication date:
08/02/2021
PhpOK 5.4.137 contains a SQL injection vulnerability that can inject an attachment data through SQL, and then call the attachment replacement function through api.php to write a PHP file to the target path.
Severity CVSS v4.0: Pending analysis
Last modification:
10/02/2021

CVE-2021-26825
Publication date:
08/02/2021
An integer overflow issue exists in Godot Engine up to v3.2 that can be triggered when loading specially crafted.TGA image files. The vulnerability exists in ImageLoaderTGA::load_image() function at line: const size_t buffer_size = (tga_header.image_width * tga_header.image_height) * pixel_size; The bug leads to Dynamic stack buffer overflow. Depending on the context of the application, attack vector can be local or remote, and can lead to code execution and/or system crash.
Severity CVSS v4.0: Pending analysis
Last modification:
11/02/2021

CVE-2021-26826
Publication date:
08/02/2021
A stack overflow issue exists in Godot Engine up to v3.2 and is caused by improper boundary checks when loading .TGA image files. Depending on the context of the application, attack vector can be local or remote, and can lead to code execution and/or system crash.
Severity CVSS v4.0: Pending analysis
Last modification:
11/02/2021

CVE-2021-3293
Publication date:
08/02/2021
emlog v5.3.1 has full path disclosure vulnerability in t/index.php, which allows an attacker to see the path to the webroot/file.
Severity CVSS v4.0: Pending analysis
Last modification:
20/03/2023

CVE-2020-26052
Publication date:
08/02/2021
Online Marriage Registration System 1.0 is affected by stored cross-site scripting (XSS) vulnerabilities in multiple parameters.
Severity CVSS v4.0: Pending analysis
Last modification:
14/11/2023
Subscribe to Vulnerabilities