Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-40262
Publication date:
20/09/2022
A potential attacker can execute an arbitrary code at the time of the PEI phase and influence the subsequent boot stages. This can lead to the mitigations bypassing, physical memory contents disclosure, discovery of any secrets from any Virtual Machines (VMs) and bypassing memory isolation and confidential computing boundaries. Additionally, an attacker can build a payload which can be injected into the SMRAM memory. This issue affects: Module name: S3Resume2Pei SHA256: 7bb29f05534a8a1e010443213451425098faebd45948a4642db969b19d0253fc Module GUID: 89E549B0-7CFE-449D-9BA3-10D8B2312D71
Severity CVSS v4.0: Pending analysis
Last modification:
27/05/2025

CVE-2022-41138
Publication date:
20/09/2022
In Zutty before 0.13, DECRQSS in text written to the terminal can achieve arbitrary code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2025

CVE-2022-37259
Publication date:
20/09/2022
A Regular Expression Denial of Service (ReDoS) flaw was found in stealjs steal 2.2.4 via the string variable in babel.js.
Severity CVSS v4.0: Pending analysis
Last modification:
28/05/2025

CVE-2022-39974
Publication date:
20/09/2022
WASM3 v0.5.0 was discovered to contain a segmentation fault via the component op_Select_i32_srs in wasm3/source/m3_exec.h.
Severity CVSS v4.0: Pending analysis
Last modification:
28/05/2025

CVE-2016-20015
Publication date:
20/09/2022
In the ebuild package through smokeping-2.7.3-r1 for SmokePing on Gentoo, the initscript allows the smokeping user to gain ownership of any file, allowing for the smokeping user to gain root privileges. There is a race condition involving /var/lib/smokeping and chown.
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2025

CVE-2017-20148
Publication date:
20/09/2022
In the ebuild package through logcheck-1.3.23.ebuild for Logcheck on Gentoo, it is possible to achieve root privilege escalation from the logcheck user because of insecure recursive chown calls.
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2025

CVE-2017-20147
Publication date:
20/09/2022
In the ebuild package through smokeping-2.7.3-r1 for SmokePing on Gentoo, the initscript uses a PID file that is writable by the smokeping user. By writing arbitrary PIDs to that file, the smokeping user can cause a denial of service to arbitrary PIDs when the service is stopped.
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2025

CVE-2022-37204
Publication date:
20/09/2022
Final CMS 5.1.0 is vulnerable to SQL Injection.
Severity CVSS v4.0: Pending analysis
Last modification:
27/05/2025

CVE-2022-38916
Publication date:
20/09/2022
A file upload vulnerability exists in the storage feature of pagekit 1.0.18, which allows an attacker to upload malicious files
Severity CVSS v4.0: Pending analysis
Last modification:
27/05/2025

CVE-2022-35196
Publication date:
20/09/2022
TestLink v1.9.20 was discovered to contain a Cross-Site Request Forgery (CSRF) via /lib/plan/planView.php.
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2025

CVE-2021-33076
Publication date:
20/09/2022
Improper authentication in firmware for some Intel(R) SSD DC Products may allow an unauthenticated user to potentially enable escalation of privilege via physical access.
Severity CVSS v4.0: Pending analysis
Last modification:
05/02/2025

CVE-2022-32167
Publication date:
20/09/2022
Cloudreve versions v1.0.0 through v3.5.3 are vulnerable to Stored Cross-Site Scripting (XSS), via the file upload functionality. A low privileged user will be able to share a file with an admin user, which could lead to privilege escalation.
Severity CVSS v4.0: Pending analysis
Last modification:
21/09/2022
Subscribe to Vulnerabilities