Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-44070
Publication date:
16/11/2022
Zenario CMS 9.3.57186 is vulnerable to Cross Site Scripting (XSS) via News articles.
Severity CVSS v4.0: Pending analysis
Last modification:
30/04/2025

CVE-2022-43262
Publication date:
16/11/2022
Human Resource Management System v1.0 was discovered to contain a SQL injection vulnerability via the password parameter at /hrm/controller/login.php.
Severity CVSS v4.0: Pending analysis
Last modification:
26/12/2023

CVE-2022-43256
Publication date:
16/11/2022
SeaCms before v12.6 was discovered to contain a SQL injection vulnerability via the component /js/player/dmplayer/dmku/index.php.
Severity CVSS v4.0: Pending analysis
Last modification:
30/04/2025

CVE-2022-43263
Publication date:
16/11/2022
A cross-site scripting (XSS) vulnerability in Arobas Music Guitar Pro for iPad and iPhone before v1.10.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload inserted into the name of an uploaded file.
Severity CVSS v4.0: Pending analysis
Last modification:
30/04/2025

CVE-2022-43264
Publication date:
16/11/2022
Arobas Music Guitar Pro for iPad and iPhone before v1.10.2 allows attackers to perform directory traversal and download arbitrary files via a crafted web request.
Severity CVSS v4.0: Pending analysis
Last modification:
30/04/2025

CVE-2022-43234
Publication date:
16/11/2022
An arbitrary file upload vulnerability in the /attachments component of Hoosk v1.8 allows attackers to execute arbitrary code via a crafted PHP file.
Severity CVSS v4.0: Pending analysis
Last modification:
30/04/2025

CVE-2022-4022
Publication date:
16/11/2022
The SVG Support plugin for WordPress defaults to insecure settings in version 2.5 and 2.5.1. SVG files containing malicious javascript are not sanitized. While version 2.5 adds the ability to sanitize image as they are uploaded, the plugin defaults to disable sanitization and does not restrict SVG upload to only administrators. This allows authenticated attackers, with author-level privileges and higher, to upload malicious SVG files that can be embedded in posts and pages by higher privileged users. Additionally, the embedded JavaScript is also triggered on visiting the image URL, which allows an attacker to execute malicious code in browsers visiting that URL.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-4021
Publication date:
16/11/2022
The Permalink Manager Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.2.20.1. This is due to missing or incorrect nonce validation on the extra_actions function. This makes it possible for unauthenticated attackers to change plugin settings including permalinks and site maps, via forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity CVSS v4.0: Pending analysis
Last modification:
08/04/2026

CVE-2022-4018
Publication date:
16/11/2022
Missing Authentication for Critical Function in GitHub repository ikus060/rdiffweb prior to 2.5.0a6.
Severity CVSS v4.0: Pending analysis
Last modification:
18/11/2022

CVE-2022-3980
Publication date:
16/11/2022
An XML External Entity (XEE) vulnerability allows server-side request forgery (SSRF) and potential code execution in Sophos Mobile managed on-premises between versions 5.0.0 and 9.7.4.
Severity CVSS v4.0: Pending analysis
Last modification:
29/04/2025

CVE-2022-24036
Publication date:
16/11/2022
Karmasis Informatics Infraskope SIEM+ has an unauthenticated access vulnerability which could allow an unauthenticated attacker to modificate logs.
Severity CVSS v4.0: Pending analysis
Last modification:
17/09/2024

CVE-2022-45047
Publication date:
16/11/2022
Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD
Severity CVSS v4.0: Pending analysis
Last modification:
16/02/2024
Subscribe to Vulnerabilities