Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-0405
Publication date:
03/04/2022
Improper Access Control in GitHub repository janeczku/calibre-web prior to 0.6.16.
Severity CVSS v4.0: Pending analysis
Last modification:
19/11/2024

CVE-2022-28380
Publication date:
03/04/2022
The rc-httpd component through 2022-03-31 for 9front (Plan 9 fork) allows ..%2f directory traversal if serve-static is used.
Severity CVSS v4.0: Pending analysis
Last modification:
11/04/2022

CVE-2022-28378
Publication date:
03/04/2022
Craft CMS before 3.7.29 allows XSS.
Severity CVSS v4.0: Pending analysis
Last modification:
11/04/2022

CVE-2022-28379
Publication date:
03/04/2022
jc21.com Nginx Proxy Manager before 2.9.17 allows XSS during item deletion.
Severity CVSS v4.0: Pending analysis
Last modification:
11/04/2022

CVE-2022-1211
Publication date:
03/04/2022
A vulnerability classified as critical has been found in tildearrow Furnace dev73. This affects the FUR to VGM converter in console mode which causes stack-based overflows and crashes. It is possible to initiate the attack remotely but it requires user-interaction. A POC has been disclosed to the public and may be used.
Severity CVSS v4.0: Pending analysis
Last modification:
12/04/2022

CVE-2022-1210
Publication date:
03/04/2022
A vulnerability classified as problematic was found in LibTIFF 4.3.0. Affected by this vulnerability is the TIFF File Handler of tiff2ps. Opening a malicious file leads to a denial of service. The attack can be launched remotely but requires user interaction. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: Pending analysis
Last modification:
24/07/2023

CVE-2022-0088
Publication date:
03/04/2022
Cross-Site Request Forgery (CSRF) in GitHub repository yourls/yourls prior to 1.8.3.
Severity CVSS v4.0: Pending analysis
Last modification:
16/02/2026

CVE-2022-28376
Publication date:
03/04/2022
Verizon 5G Home LVSKIHP outside devices through 2022-02-15 allow anyone (knowing the device's serial number) to access a CPE admin website, e.g., at the 10.0.0.1 IP address. The password (for the verizon username) is calculated by concatenating the serial number and the model (i.e., the LVSKIHP string), running the sha256sum program, and extracting the first seven characters concatenated with the last seven characters of that SHA-256 value.
Severity CVSS v4.0: Pending analysis
Last modification:
08/08/2023

CVE-2022-28368
Publication date:
03/04/2022
Dompdf 1.2.1 allows remote code execution via a .php file in the src:url field of an @font-face Cascading Style Sheets (CSS) statement (within an HTML input file).
Severity CVSS v4.0: Pending analysis
Last modification:
08/08/2023

CVE-2022-28355
Publication date:
02/04/2022
randomUUID in Scala.js before 1.10.0 generates predictable values.
Severity CVSS v4.0: Pending analysis
Last modification:
11/04/2022

CVE-2022-28356
Publication date:
02/04/2022
In the Linux kernel before 5.17.1, a refcount leak bug was found in net/llc/af_llc.c.
Severity CVSS v4.0: Pending analysis
Last modification:
05/05/2025

CVE-2022-28352
Publication date:
02/04/2022
WeeChat (aka Wee Enhanced Environment for Chat) 3.2 to 3.4 before 3.4.1 does not properly verify the TLS certificate of the server, after certain GnuTLS options are changed, which allows man-in-the-middle attackers to spoof a TLS chat server via an arbitrary certificate. NOTE: this only affects situations where weechat.network.gnutls_ca_system or weechat.network.gnutls_ca_user is changed without a WeeChat restart.
Severity CVSS v4.0: Pending analysis
Last modification:
13/04/2022
Subscribe to Vulnerabilities