Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-27642

Publication date:

29/03/2023

This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R6700v3 1.0.4.120_10.0.91 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the httpd service. The issue results from incorrect string matching logic when accessing protected pages. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of root. Was ZDI-CAN-15854.

Severity CVSS v4.0: Pending analysis

Last modification:

05/04/2023

CVE-2022-27643

Publication date:

29/03/2023

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6700v3 1.0.4.120_10.0.91 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of SOAP requests. When parsing the SOAPAction header, the process does not properly validate the length of user-supplied data prior to copying it to a buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15692.

Severity CVSS v4.0: Pending analysis

Last modification:

05/04/2023

CVE-2022-27646

Publication date:

29/03/2023

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6700v3 1.0.4.120_10.0.91 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the circled daemon. A crafted circleinfo.txt file can trigger an overflow of a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15879.

Severity CVSS v4.0: Pending analysis

Last modification:

06/04/2023

CVE-2022-28300

Publication date:

29/03/2023

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation 10.16.02.034 CONNECT. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of JP2 images. Crafted data in a JP2 file can trigger a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-16202.

Severity CVSS v4.0: Pending analysis

Last modification:

04/04/2023

CVE-2022-27647

Publication date:

29/03/2023

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6700v3 1.0.4.120_10.0.91 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the handling of the name or email field provided to libreadycloud.so. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15874.

Severity CVSS v4.0: Pending analysis

Last modification:

06/04/2023

CVE-2023-26984

Publication date:

29/03/2023

An issue in the password reset function of Peppermint v0.2.4 allows attackers to access the emails and passwords of the Tickets page via a crafted request.

Severity CVSS v4.0: Pending analysis

Last modification:

18/02/2025

CVE-2022-48434

Publication date:

29/03/2023

libavcodec/pthread_frame.c in FFmpeg before 5.1.2, as used in VLC and other products, leaves stale hwaccel state in worker threads, which allows attackers to trigger a use-after-free and execute arbitrary code in some circumstances (e.g., hardware re-initialization upon a mid-video SPS change when Direct3D11 is used).

Severity CVSS v4.0: Pending analysis

Last modification:

21/10/2024

CVE-2023-1550

Publication date:

29/03/2023

Insertion of Sensitive Information into log file vulnerability in NGINX Agent. NGINX Agent version 2.0 before 2.23.3 inserts sensitive information into a log file. An authenticated attacker with local access to read agent log files may gain access to private keys. This issue is only exposed when the non-default trace level logging is enabled. Note: NGINX Agent is included with NGINX Instance Manager and used in conjunction with NGINX API Connectivity Manager, and NGINX Management Suite Security Monitoring.

Severity CVSS v4.0: Pending analysis

Last modification:

11/05/2023

CVE-2023-26291

Publication date:

29/03/2023

Improper Neutralization of Input During Web Page Generation (&#39;Cross-site Scripting&#39;) vulnerability in Forcepoint Cloud Security Gateway (CSG) Portal on Web Cloud Security Gateway, Email Security Cloud (login_form.mhtml modules), Forcepoint Web Security Portal on Hybrid (login_form.mhtml modules) allows Reflected XSS.This issue affects Cloud Security Gateway (CSG): before 03/29/2023; Web Security: before 03/29/2023.

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2023-26292

Publication date:

29/03/2023

Improper Neutralization of Input During Web Page Generation (&#39;Cross-site Scripting&#39;) vulnerability in Forcepoint Cloud Security Gateway (CSG) Portal on Web Cloud Security Gateway, Email Security Cloud (login_submit.mhtml modules), Forcepoint Web Security Portal on Hybrid (login_submit.mhtml modules) allows Reflected XSS.This issue affects Cloud Security Gateway (CSG): before 03/29/2023; Web Security: before 03/29/2023.

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2023-26968

Publication date:

29/03/2023

In Atrocore 1.5.25, the Create Import Feed option with glyphicon-glyphicon-paperclip function is vulnerable to Unauthenticated File upload.

Severity CVSS v4.0: Pending analysis

Last modification:

18/02/2025

CVE-2023-26290

Publication date:

29/03/2023

Improper Neutralization of Input During Web Page Generation (&#39;Cross-site Scripting&#39;) vulnerability in Forcepoint Cloud Security Gateway (CSG) Portal on Web Cloud Security Gateway, Email Security Cloud (login_reset_request.mhtml modules), Forcepoint Web Security Portal on Hybrid (login_reset_request.mhtml modules) allows Reflected XSS.This issue affects Cloud Security Gateway (CSG): before 03/29/2023; Web Security: before 03/29/2023.

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

Subscribe to Vulnerabilities