Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-45401
Publication date:
18/02/2022
A Command injection vulnerability exists in Tenda AC10U AC1200 Smart Dual-band Wireless Router AC10U V1.0 Firmware V15.03.06.49_multi via the setUsbUnload functionality. The vulnerability is caused because the client controlled "deviceName" value is passed directly to the "doSystemCmd" function.
Severity CVSS v4.0: Pending analysis
Last modification:
28/02/2022

CVE-2022-0138
Publication date:
18/02/2022
MMP: All versions prior to v1.0.3, PTP C-series: Device versions prior to v2.8.6.1, and PTMP C-series and A5x: Device versions prior to v2.5.4.1 has a deserialization function that does not validate or check the data, allowing arbitrary classes to be created.
Severity CVSS v4.0: Pending analysis
Last modification:
26/02/2022

CVE-2021-4093
Publication date:
18/02/2022
A flaw was found in the KVM's AMD code for supporting the Secure Encrypted Virtualization-Encrypted State (SEV-ES). A KVM guest using SEV-ES can trigger out-of-bounds reads and writes in the host kernel via a malicious VMGEXIT for a string I/O instruction (for example, outs or ins) using the exit reason SVM_EXIT_IOIO. This issue results in a crash of the entire system or a potential guest-to-host escape scenario.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-4090
Publication date:
18/02/2022
An out-of-bounds (OOB) memory write flaw was found in the NFSD in the Linux kernel. Missing sanity may lead to a write beyond bmval[bmlen-1] in nfsd4_decode_bitmap4 in fs/nfsd/nfs4xdr.c. In this flaw, a local attacker with user privilege may gain access to out-of-bounds memory, leading to a system integrity and confidentiality threat.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-4091
Publication date:
18/02/2022
A double-free was found in the way 389-ds-base handles virtual attributes context in persistent searches. An attacker could send a series of search requests, forcing the server to behave unexpectedly, and crash.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2021-38935
Publication date:
18/02/2022
IBM Maximo Asset Management 7.6.1.2 does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. IBM X-Force ID: 210892.
Severity CVSS v4.0: Pending analysis
Last modification:
25/02/2022

CVE-2021-30650
Publication date:
18/02/2022
A reflected cross-site scripting (XSS) vulnerability in the Symantec Layer7 API Management OAuth Toolkit (OTK) allows a remote attacker to craft a malicious URL for the OTK web UI and target OTK users with phishing attacks or other social engineering techniques. A successful attack allows injecting malicious code into the OTK web UI client application.
Severity CVSS v4.0: Pending analysis
Last modification:
28/02/2022

CVE-2021-26619
Publication date:
18/02/2022
An path traversal vulnerability leading to delete arbitrary files was discovered in BigFileAgent. Remote attackers can use this vulnerability to delete arbitrary files of unspecified number of users.
Severity CVSS v4.0: Pending analysis
Last modification:
28/02/2022

CVE-2021-44968
Publication date:
18/02/2022
A Use after Free vulnerability exists in IOBit Advanced SystemCare 15 pro via requests sent in sequential order using the IOCTL driver codes, which could let a malicious user execute arbitrary code or a Denial of Service (system crash). IOCTL list: iobit_ioctl = [0x8001e01c, 0x8001e020, 0x8001e024, 0x8001e040,0x8001e044, 0x8001e048, 0x8001e04c, 0x8001e000, 0x8001e004, 0x8001e008, 0x8001e00c, 0x8001e010, 0x8001e014, 0x8001e018]
Severity CVSS v4.0: Pending analysis
Last modification:
01/03/2022

CVE-2021-26618
Publication date:
18/02/2022
An improper input validation leading to arbitrary file creation was discovered in ToWord of ToOffice. Remote attackers use this vulnerability to execute arbitrary file included malicious code.
Severity CVSS v4.0: Pending analysis
Last modification:
25/02/2022

CVE-2021-3930
Publication date:
18/02/2022
An off-by-one error was found in the SCSI device emulation in QEMU. It could occur while processing MODE SELECT commands in mode_sense_page() if the 'page' argument was set to MODE_PAGE_ALLS (0x3f). A malicious guest could use this flaw to potentially crash QEMU, resulting in a denial of service condition.
Severity CVSS v4.0: Pending analysis
Last modification:
25/10/2022

CVE-2021-3947
Publication date:
18/02/2022
A stack-buffer-overflow was found in QEMU in the NVME component. The flaw lies in nvme_changed_nslist() where a malicious guest controlling certain input can read out of bounds memory. A malicious user could use this flaw leading to disclosure of sensitive information.
Severity CVSS v4.0: Pending analysis
Last modification:
21/11/2023
Subscribe to Vulnerabilities