Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-29020
Publication date:
16/04/2022
ForestBlog through 2022-02-16 allows admin/profile/save userAvatar XSS during addition of a user avatar.
Severity CVSS v4.0: Pending analysis
Last modification:
25/04/2022

CVE-2022-29287
Publication date:
16/04/2022
Kentico CMS before 13.0.66 has an Insecure Direct Object Reference vulnerability. It allows an attacker with user management rights (default is Administrator) to export the user options of any user, even ones with higher privileges (like Global Administrators) than the current user. The exported XML contains every option of the exported user (even the hashed password).
Severity CVSS v4.0: Pending analysis
Last modification:
19/12/2025

CVE-2022-1365
Publication date:
15/04/2022
Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository lquixada/cross-fetch prior to 3.1.5.
Severity CVSS v4.0: Pending analysis
Last modification:
22/11/2022

CVE-2022-29281
Publication date:
15/04/2022
Notable before 1.9.0-beta.8 doesn't effectively prevent the opening of executable files when clicking on a link. There is improper validation of the file URI scheme. A hyperlink to an SMB share could lead to execution of an arbitrary program (or theft of NTLM credentials via an SMB relay attack, because the application resolves UNC paths).
Severity CVSS v4.0: Pending analysis
Last modification:
08/08/2023

CVE-2022-27426
Publication date:
15/04/2022
A Server-Side Request Forgery (SSRF) in Chamilo LMS v1.11.13 allows attackers to enumerate the internal network and execute arbitrary system commands via a crafted Phar file.
Severity CVSS v4.0: Pending analysis
Last modification:
25/04/2022

CVE-2022-27423
Publication date:
15/04/2022
Chamilo LMS v1.11.13 was discovered to contain a SQL injection vulnerability via the blog_id parameter at /blog/blog.php.
Severity CVSS v4.0: Pending analysis
Last modification:
25/04/2022

CVE-2022-27425
Publication date:
15/04/2022
Chamilo LMS v1.11.13 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /blog/blog.php.
Severity CVSS v4.0: Pending analysis
Last modification:
25/04/2022

CVE-2022-27422
Publication date:
15/04/2022
A reflected cross-site scripting (XSS) vulnerability in Chamilo LMS v1.11.13 allows attackers to execute arbitrary web scripts or HTML via user interaction with a crafted URL.
Severity CVSS v4.0: Pending analysis
Last modification:
25/04/2022

CVE-2022-29072
Publication date:
15/04/2022
7-Zip through 21.07 on Windows allows privilege escalation and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow. The command runs in a child process under the 7zFM.exe process. NOTE: multiple third parties have reported that no privilege escalation can occur
Severity CVSS v4.0: Pending analysis
Last modification:
09/06/2025

CVE-2022-27427
Publication date:
15/04/2022
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2021-38745. Reason: This candidate is a duplicate of CVE-2021-38745. Notes: All CVE users should reference CVE-2021-38745 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-27421
Publication date:
15/04/2022
Chamilo LMS v1.11.13 lacks validation on the user modification form, allowing attackers to escalate privileges to Platform Admin.
Severity CVSS v4.0: Pending analysis
Last modification:
08/08/2023

CVE-2022-24279
Publication date:
15/04/2022
The package madlib-object-utils before 0.1.8 are vulnerable to Prototype Pollution via the setValue method, as it allows an attacker to merge object prototypes into it. *Note:* This vulnerability derives from an incomplete fix of [CVE-2020-7701](https://security.snyk.io/vuln/SNYK-JS-MADLIBOBJECTUTILS-598676)
Severity CVSS v4.0: Pending analysis
Last modification:
25/04/2022
Subscribe to Vulnerabilities