Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2019-25060
Publication date:
09/05/2022
The WPGraphQL WordPress plugin before 0.3.5 doesn't properly restrict access to information about other users' roles on the affected site. Because of this, a remote attacker could forge a GraphQL query to retrieve the account roles of every user on the site.
Severity CVSS v4.0: Pending analysis
Last modification:
17/05/2022

CVE-2022-27224
Publication date:
09/05/2022
An issue was discovered in Galleon NTS-6002-GPS 4.14.103-Galleon-NTS-6002.V12 4. An authenticated attacker can perform command injection as root via shell metacharacters within the Network Tools section of the web-management interface. All three networking tools are affected (Ping, Traceroute, and DNS Lookup) and their respective input fields (ping_address, trace_address, nslookup_address).
Severity CVSS v4.0: Pending analysis
Last modification:
12/10/2022

CVE-2022-1631
Publication date:
09/05/2022
Users Account Pre-Takeover or Users Account Takeover. in GitHub repository microweber/microweber prior to 1.2.15. Victim Account Take Over. Since, there is no email confirmation, an attacker can easily create an account in the application using the Victim’s Email. This allows an attacker to gain pre-authentication to the victim’s account. Further, due to the lack of proper validation of email coming from Social Login and failing to check if an account already exists, the victim will not identify if an account is already existing. Hence, the attacker’s persistence will remain. An attacker would be able to see all the activities performed by the victim user impacting the confidentiality and attempt to modify/corrupt the data impacting the integrity and availability factor. This attack becomes more interesting when an attacker can register an account from an employee’s email address. Assuming the organization uses G-Suite, it is much more impactful to hijack into an employee’s account.
Severity CVSS v4.0: Pending analysis
Last modification:
19/10/2022

CVE-2022-23332
Publication date:
09/05/2022
Command injection vulnerability in Manual Ping Form (Web UI) in Shenzhen Ejoin Information Technology Co., Ltd. ACOM508/ACOM516/ACOM532 609-915-041-100-020 allows a remote attacker to inject arbitrary code via the field.
Severity CVSS v4.0: Pending analysis
Last modification:
08/08/2023

CVE-2022-30286
Publication date:
09/05/2022
pyscriptjs (aka PyScript Demonstrator) in PyScript through 2022-05-04 allows a remote user to read Python source code.
Severity CVSS v4.0: Pending analysis
Last modification:
16/05/2022

CVE-2022-30333
Publication date:
09/05/2022
RARLAB UnRAR before 6.12 on Linux and UNIX allows directory traversal to write to files during an extract (aka unpack) operation, as demonstrated by creating a ~/.ssh/authorized_keys file. NOTE: WinRAR and Android RAR are unaffected.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2022-23066
Publication date:
09/05/2022
In Solana rBPF versions 0.2.26 and 0.2.27 are affected by Incorrect Calculation which is caused by improper implementation of sdiv instruction. This can lead to the wrong execution path, resulting in huge loss in specific cases. For example, the result of a sdiv instruction may decide whether to transfer tokens or not. The vulnerability affects both integrity and may cause serious availability problems.
Severity CVSS v4.0: Pending analysis
Last modification:
10/02/2023

CVE-2022-28463
Publication date:
08/05/2022
ImageMagick 7.1.0-27 is vulnerable to Buffer Overflow.
Severity CVSS v4.0: Pending analysis
Last modification:
25/06/2025

CVE-2022-28470
Publication date:
08/05/2022
marcador package in PyPI 0.1 through 0.13 included a code-execution backdoor.
Severity CVSS v4.0: Pending analysis
Last modification:
17/05/2022

CVE-2022-1620
Publication date:
08/05/2022
NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 in GitHub repository vim/vim prior to 8.2.4901. NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 allows attackers to cause a denial of service (application crash) via a crafted input.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-1619
Publication date:
08/05/2022
Heap-based Buffer Overflow in function cmdline_erase_chars in GitHub repository vim/vim prior to 8.2.4899. This vulnerabilities are capable of crashing software, modify memory, and possible remote execution
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2018-25033
Publication date:
08/05/2022
ADMesh through 0.98.4 has a heap-based buffer over-read in stl_update_connects_remove_1 (called from stl_remove_degenerate) in connect.c in libadmesh.a.
Severity CVSS v4.0: Pending analysis
Last modification:
06/10/2022
Subscribe to Vulnerabilities