Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-22991
Publication date:
13/01/2022
A malicious user on the same LAN could use DNS spoofing followed by a command injection attack to trick a NAS device into loading through an unsecured HTTP call. Addressed this vulnerability by disabling checks for internet connectivity using HTTP.
Severity CVSS v4.0: Pending analysis
Last modification:
21/01/2022

CVE-2022-21684
Publication date:
13/01/2022
Discourse is an open source discussion platform. Versions prior to 2.7.13 in `stable`, 2.8.0.beta11 in `beta`, and 2.8.0.beta11 in `tests-passed` allow some users to log in to a community before they should be able to do so. A user invited via email to a forum with `must_approve_users` enabled is going to be automatically logged in, bypassing the check that does not allow unapproved users to sign in. They will be able to do everything an approved user can do. If they logout, they cannot log back in. This issue is patched in the `stable` version 2.7.13, `beta` version 2.8.0.beta11, and `tests-passed` version 2.8.0.beta11. One may disable invites as a workaround. Administrators can increase `min_trust_level_to_allow_invite` to reduce the attack surface to more trusted users.
Severity CVSS v4.0: Pending analysis
Last modification:
24/07/2023

CVE-2022-22990
Publication date:
13/01/2022
A limited authentication bypass vulnerability was discovered that could allow an attacker to achieve remote code execution and escalate privileges on the My Cloud devices. Addressed this vulnerability by changing access token validation logic and rewriting rule logic on PHP scripts.
Severity CVSS v4.0: Pending analysis
Last modification:
11/07/2023

CVE-2022-22988
Publication date:
13/01/2022
File and directory permissions have been corrected to prevent unintended users from modifying or accessing resources. It would be more difficult for an authenticated attacker to now traverse through the files and directories. This can only be exploited once an attacker has already found a way to get authenticated access to the device.
Severity CVSS v4.0: Pending analysis
Last modification:
24/02/2026

CVE-2022-22989
Publication date:
13/01/2022
My Cloud OS 5 was vulnerable to a pre-authenticated stack overflow vulnerability on the FTP service that could be exploited by unauthenticated attackers on the network. Addressed the vulnerability by adding defenses against stack overflow issues.
Severity CVSS v4.0: Pending analysis
Last modification:
24/02/2026

CVE-2021-40722
Publication date:
13/01/2022
AEM Forms Cloud Service offering, as well as version 6.5.10.0 (and below) are affected by an XML External Entity (XXE) injection vulnerability that could be abused by an attacker to achieve RCE.
Severity CVSS v4.0: Pending analysis
Last modification:
19/01/2022

CVE-2021-43761
Publication date:
13/01/2022
AEM's Cloud Service offering, as well as versions 6.5.7.0 (and below), 6.4.8.3 (and below) and 6.3.3.8 (and below) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Severity CVSS v4.0: Pending analysis
Last modification:
19/01/2022

CVE-2021-33046
Publication date:
13/01/2022
Some Dahua products have access control vulnerability in the password reset process. Attackers can exploit this vulnerability through specific deployments to reset device passwords.
Severity CVSS v4.0: Pending analysis
Last modification:
25/01/2022

CVE-2021-23227
Publication date:
13/01/2022
Cross-Site Request Forgery (CSRF) vulnerability in Alexander Fuchs PHP Everywhere plugin 
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-45422
Publication date:
13/01/2022
Reprise License Manager 14.2 is affected by a reflected cross-site scripting vulnerability in the /goform/activate_process "count" parameter via GET. No authentication is required.
Severity CVSS v4.0: Pending analysis
Last modification:
30/04/2025

CVE-2021-40573
Publication date:
13/01/2022
The binary MP4Box in Gpac 1.0.1 has a double-free vulnerability in the gf_list_del function in list.c, which allows attackers to cause a denial of service.
Severity CVSS v4.0: Pending analysis
Last modification:
14/01/2022

CVE-2021-40572
Publication date:
13/01/2022
The binary MP4Box in Gpac 1.0.1 has a double-free bug in the av1dmx_finalize function in reframe_av1.c, which allows attackers to cause a denial of service.
Severity CVSS v4.0: Pending analysis
Last modification:
27/05/2023
Subscribe to Vulnerabilities