Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-1031
Publication date:
22/03/2022
Use After Free in op_is_set_bp in GitHub repository radareorg/radare2 prior to 5.6.6.
Severity CVSS v4.0: Pending analysis
Last modification:
28/03/2022

CVE-2022-26260
Publication date:
22/03/2022
Simple-Plist v1.3.0 was discovered to contain a prototype pollution vulnerability via .parse().
Severity CVSS v4.0: Pending analysis
Last modification:
28/03/2022

CVE-2022-25517
Publication date:
22/03/2022
MyBatis plus v3.4.3 was discovered to contain a SQL injection vulnerability via the Column parameter in /core/conditions/AbstractWrapper.java. NOTE: the vendor's position is that the reported execution of a SQL statement was intended behavior.
Severity CVSS v4.0: Pending analysis
Last modification:
03/08/2024

CVE-2022-27228
Publication date:
22/03/2022
In the vote (aka "Polls, Votes") module before 21.0.100 of Bitrix Site Manager, a remote unauthenticated attacker can execute arbitrary code.
Severity CVSS v4.0: Pending analysis
Last modification:
28/03/2022

CVE-2021-41736
Publication date:
22/03/2022
Faust v2.35.0 was discovered to contain a heap-buffer overflow in the function realPropagate() at propagate.cpp.
Severity CVSS v4.0: Pending analysis
Last modification:
28/03/2022

CVE-2022-25484
Publication date:
22/03/2022
tcpprep v4.4.1 has a reachable assertion (assert(l2len > 0)) in packet2tree() at tree.c in tcpprep v4.4.1.
Severity CVSS v4.0: Pending analysis
Last modification:
28/03/2022

CVE-2022-21718
Publication date:
22/03/2022
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability in versions prior to `17.0.0-alpha.6`, `16.0.6`, `15.3.5`, `14.2.4`, and `13.6.6` allows renderers to obtain access to a bluetooth device via the web bluetooth API if the app has not configured a custom `select-bluetooth-device` event handler. This has been patched and Electron versions `17.0.0-alpha.6`, `16.0.6`, `15.3.5`, `14.2.4`, and `13.6.6` contain the fix. Code from the GitHub Security Advisory can be added to the app to work around the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
24/07/2023

CVE-2022-24774
Publication date:
22/03/2022
CycloneDX BOM Repository Server is a bill of materials (BOM) repository server for distributing CycloneDX BOMs. CycloneDX BOM Repository Server before version 2.0.1 has an improper input validation vulnerability leading to path traversal. A malicious user may potentially exploit this vulnerability to create arbitrary directories or a denial of service by deleting arbitrary directories. The vulnerability is resolved in version 2.0.1. The vulnerability is not exploitable with the default configuration with the post and delete methods disabled. This can be configured by modifying the `appsettings.json` file, or alternatively, setting the environment variables `ALLOWEDMETHODS__POST` and `ALLOWEDMETHODS__DELETE` to `false`.
Severity CVSS v4.0: Pending analysis
Last modification:
30/06/2023

CVE-2022-24764
Publication date:
22/03/2022
PJSIP is a free and open source multimedia communication library written in C. Versions 2.12 and prior contain a stack buffer overflow vulnerability that affects PJSUA2 users or users that call the API `pjmedia_sdp_print(), pjmedia_sdp_media_print()`. Applications that do not use PJSUA2 and do not directly call `pjmedia_sdp_print()` or `pjmedia_sdp_media_print()` should not be affected. A patch is available on the `master` branch of the `pjsip/pjproject` GitHub repository. There are currently no known workarounds.
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2025

CVE-2021-43650
Publication date:
22/03/2022
WebRun 3.6.0.42 is vulnerable to SQL Injection via the P_0 parameter used to set the username during the login process.
Severity CVSS v4.0: Pending analysis
Last modification:
28/03/2022

CVE-2022-1036
Publication date:
22/03/2022
Able to create an account with long password leads to memory corruption / Integer Overflow in GitHub repository microweber/microweber prior to 1.2.12.
Severity CVSS v4.0: Pending analysis
Last modification:
28/03/2022

CVE-2022-0667
Publication date:
22/03/2022
When the vulnerability is triggered the BIND process will exit. BIND 9.18.0
Severity CVSS v4.0: Pending analysis
Last modification:
09/11/2023
Subscribe to Vulnerabilities