Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-25242

Publication date:

16/02/2022

In FileCloud before 21.3, file upload is not protected against Cross-Site Request Forgery (CSRF).

Severity CVSS v4.0: Pending analysis

Last modification:

23/02/2022

CVE-2022-25236

Publication date:

16/02/2022

xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs.

Severity CVSS v4.0: Pending analysis

Last modification:

05/05/2025

CVE-2022-25235

Publication date:

16/02/2022

xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context.

Severity CVSS v4.0: Pending analysis

Last modification:

05/05/2025

CVE-2022-0611

Publication date:

16/02/2022

Missing Authorization in Packagist snipe/snipe-it prior to 5.3.11.

Severity CVSS v4.0: Pending analysis

Last modification:

24/02/2026

CVE-2021-46252

Publication date:

15/02/2022

A Cross-Site Request Forgery (CSRF) in RequirementsBypassPage.php of Scratch Wiki scratch-confirmaccount-v3 allows attackers to modify account request requirement bypasses.

Severity CVSS v4.0: Pending analysis

Last modification:

24/02/2022

CVE-2021-46251

Publication date:

15/02/2022

A reflected cross-site scripting (XSS) in ScratchOAuth2 before commit 1603f04e44ef67dde6ccffe866d2dca16defb293 allows attackers to execute arbitrary web scripts or HTML via a crafted POST request.

Severity CVSS v4.0: Pending analysis

Last modification:

24/02/2022

CVE-2021-46250

Publication date:

15/02/2022

An issue in SOA2Login::commented of ScratchOAuth2 before commit a91879bd58fa83b09283c0708a1864cdf067c64a allows attackers to authenticate as other users on downstream components that rely on ScratchOAuth2.

Severity CVSS v4.0: Pending analysis

Last modification:

24/02/2022

CVE-2021-46249

Publication date:

15/02/2022

An authorization bypass exploited by a user-controlled key in SpecificApps REST API in ScratchOAuth2 before commit d856dc704b2504cd3b92cf089fdd366dd40775d6 allows app owners to set flags that indicate whether an app is verified on their own apps.

Severity CVSS v4.0: Pending analysis

Last modification:

12/07/2022

CVE-2022-23643

Publication date:

15/02/2022

Sourcegraph is a code search and navigation engine. Sourcegraph versions 3.35 and 3.36 reintroduced a previously fixed side-channel vulnerabilitity in the Code Monitoring feature where strings in private source code could be guessed by an authenticated but unauthorized actor. This issue affects only the Code Monitoring feature, whereas CVE-2021-43823 also affected saved searches. A successful attack would require an authenticated bad actor to create many Code Monitors to receive confirmation that a specific string exists. This could allow an attacker to guess formatted tokens in source code, such as API keys. This issue was patched in versions 3.35.2 and 3.36.3 of Sourcegraph. Those who are unable to upgrade may disable the Code Monitor feature in their installation.

Severity CVSS v4.0: Pending analysis

Last modification:

24/02/2022

CVE-2021-35380

Publication date:

15/02/2022

A Directory Traversal vulnerability exists in Solari di Udine TermTalk Server (TTServer) 3.24.0.2, which lets an unauthenticated malicious user gain access to the files on the remote system by gaining access to the relative path of the file they want to download (http://url:port/file?valore).

Severity CVSS v4.0: Pending analysis

Last modification:

25/04/2022

CVE-2022-23641

Publication date:

15/02/2022

Discourse is an open source discussion platform. In versions prior to 2.8.1 in the `stable` branch, 2.9.0.beta2 in the `beta` branch, and 2.9.0.beta2 in the `tests-passed` branch, users can trigger a Denial of Service attack by posting a streaming URL. Parsing Oneboxes in the background job trigger an infinite loop, which cause memory leaks. This issue is patched in version 2.8.1 of the `stable` branch, 2.9.0.beta2 of the `beta` branch, and 2.9.0.beta2 of the `tests-passed` branch. As a workaround, disable onebox in admin panel completely or specify allow list of domains that will be oneboxed.

Severity CVSS v4.0: Pending analysis

Last modification:

24/02/2022

CVE-2021-46263

Publication date:

15/02/2022

Tenda AC Series Router AC11_V02.03.01.104_CN was discovered to contain a stack buffer overflow in the wifiTime module. This vulnerability allows attackers to cause a Denial of Service (DoS) via crafted overflow data.

Severity CVSS v4.0: Pending analysis

Last modification:

23/02/2022

Subscribe to Vulnerabilities