Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-25875
Publication date:
01/11/2021
AVideo/YouPHPTube AVideo/YouPHPTube 10.0 and prior has multiple reflected Cross Script Scripting vulnerabilities via the searchPhrase parameter which allows a remote attacker to steal administrators' session cookies or perform actions as an administrator.
Severity CVSS v4.0: Pending analysis
Last modification:
14/02/2024

CVE-2021-25878
Publication date:
01/11/2021
AVideo/YouPHPTube 10.0 and prior is affected by multiple reflected Cross Script Scripting vulnerabilities via the videoName parameter which allows a remote attacker to steal administrators' session cookies or perform actions as an administrator.
Severity CVSS v4.0: Pending analysis
Last modification:
14/02/2024

CVE-2021-25876
Publication date:
01/11/2021
AVideo/YouPHPTube 10.0 and prior has multiple reflected Cross Script Scripting vulnerabilities via the u parameter which allows a remote attacker to steal administrators' session cookies or perform actions as an administrator.
Severity CVSS v4.0: Pending analysis
Last modification:
14/02/2024

CVE-2021-25877
Publication date:
01/11/2021
AVideo/YouPHPTube 10.0 and prior is affected by Insecure file write. An administrator privileged user is able to write files on filesystem using flag and code variables in file save.php.
Severity CVSS v4.0: Pending analysis
Last modification:
14/02/2024

CVE-2021-42557
Publication date:
01/11/2021
In Jeedom through 4.1.19, a bug allows a remote attacker to bypass API access and retrieve users credentials.
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2022

CVE-2021-25874
Publication date:
01/11/2021
AVideo/YouPHPTube AVideo/YouPHPTube 10.0 and prior is affected by a SQL Injection SQL injection in the catName parameter which allows a remote unauthenticated attacker to retrieve databases information such as application passwords hashes.
Severity CVSS v4.0: Pending analysis
Last modification:
14/02/2024

CVE-2021-27644
Publication date:
01/11/2021
In Apache DolphinScheduler before 1.3.6 versions, authorized users can use SQL injection in the data source center. (Only applicable to MySQL data source with internal login account password)
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-41973
Publication date:
01/11/2021
In Apache MINA, a specifically crafted, malformed HTTP request may cause the HTTP Header decoder to loop indefinitely. The decoder assumed that the HTTP Header begins at the beginning of the buffer and loops if there is more data than expected. Please update MINA to 2.1.5 or greater.
Severity CVSS v4.0: Pending analysis
Last modification:
02/05/2022

CVE-2021-24723
Publication date:
01/11/2021
The WP Reactions Lite WordPress plugin before 1.3.6 does not properly sanitize inputs within wp-admin pages, allowing users with sufficient access to inject XSS payloads within /wp-admin/ pages.
Severity CVSS v4.0: Pending analysis
Last modification:
02/11/2021

CVE-2021-24773
Publication date:
01/11/2021
The WordPress Download Manager WordPress plugin before 3.2.16 does not escape some of the Download settings when outputting them, allowing high privilege users to perform XSS attacks even when the unfiltered_html capability is disallowed
Severity CVSS v4.0: Pending analysis
Last modification:
21/03/2025

CVE-2021-24781
Publication date:
01/11/2021
The Image Source Control WordPress plugin before 2.3.1 allows users with a role as low as Contributor to change arbitrary post meta fields of arbitrary posts (even those they should not be able to edit)
Severity CVSS v4.0: Pending analysis
Last modification:
02/11/2021

CVE-2021-24789
Publication date:
01/11/2021
The Flat Preloader WordPress plugin before 1.5.5 does not escape some of its settings when outputting them in attribute in the frontend, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed
Severity CVSS v4.0: Pending analysis
Last modification:
02/11/2021
Subscribe to Vulnerabilities