Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-41329
Publication date:
07/03/2023
An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in Fortinet FortiProxy version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.7, FortiOS version 7.2.0 through 7.2.3 and 7.0.0 through 7.0.9 allows an unauthenticated attackers to obtain sensitive logging informations on the device via crafted HTTP GET requests.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-41333
Publication date:
07/03/2023
An uncontrolled resource consumption vulnerability [CWE-400] in FortiRecorder version 6.4.3 and below, 6.0.11 and below login authentication mechanism may allow an unauthenticated attacker to make the device unavailable via crafted GET requests.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2023-25223
Publication date:
07/03/2023
CRMEB
Severity CVSS v4.0: Pending analysis
Last modification:
05/03/2025

CVE-2022-41328
Publication date:
07/03/2023
A improper limitation of a pathname to a restricted directory vulnerability ('path traversal') [CWE-22] in Fortinet FortiOS version 7.2.0 through 7.2.3, 7.0.0 through 7.0.9 and before 6.4.11 allows a privileged attacker to read and write files on the underlying Linux system via crafted CLI commands.
Severity CVSS v4.0: Pending analysis
Last modification:
24/10/2025

CVE-2022-40676
Publication date:
07/03/2023
A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiNAC versions 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.8, 8.8.0 through 8.8.11, 8.7.0 through 8.7.6, 8.6.0 through 8.6.5, 8.5.0 through 8.5.4, 8.3.7 allows attacker to execute unauthorized code or commands via specially crafted http requests.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-27490
Publication date:
07/03/2023
A exposure of sensitive information to an unauthorized actor in Fortinet FortiManager version 6.0.0 through 6.0.4, FortiAnalyzer version 6.0.0 through 6.0.4, FortiPortal version 6.0.0 through 6.0.9, 5.3.0 through 5.3.8, 5.2.x, 5.1.0, 5.0.x, 4.2.x, 4.1.x, FortiSwitch version 7.0.0 through 7.0.4, 6.4.0 through 6.4.10, 6.2.x, 6.0.x allows an attacker which has obtained access to a restricted administrative account to obtain sensitive information via `diagnose debug` commands.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-39953
Publication date:
07/03/2023
A improper privilege management in Fortinet FortiNAC version 9.4.0 through 9.4.1, FortiNAC version 9.2.0 through 9.2.6, FortiNAC version 9.1.0 through 9.1.8, FortiNAC all versions 8.8, FortiNAC all versions 8.7, FortiNAC all versions 8.6, FortiNAC all versions 8.5, FortiNAC version 8.3.7 allows attacker to escalation of privilege via specially crafted commands.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-39951
Publication date:
07/03/2023
A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWeb version 7.0.0 through 7.0.2, FortiWeb version 6.3.6 through 6.3.20, FortiWeb 6.4 all versions allows attacker to execute unauthorized code or commands via specifically crafted HTTP requests.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-22297
Publication date:
07/03/2023
An incomplete filtering of one or more instances of special elements vulnerability [CWE-792] in the command line interpreter of FortiWeb version 6.4.0 through 6.4.1, FortiWeb version 6.3.0 through 6.3.17, FortiWeb all versions 6.2, FortiWeb all versions 6.1, FortiWeb all versions 6.0, FortiRecorder version 6.4.0 through 6.4.3, FortiRecorder all versions 6.0, FortiRecorder all versions 2.7 may allow an authenticated user to read arbitrary files via specially crafted command arguments.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2023-27522
Publication date:
07/03/2023
HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55.<br /> <br /> Special characters in the origin response header can truncate/split the response forwarded to the client.
Severity CVSS v4.0: Pending analysis
Last modification:
01/05/2025

CVE-2020-36670
Publication date:
07/03/2023
The NEX-Forms. plugin for WordPress is vulnerable to unauthorized disclosure and modification of data in versions up to, and including 7.7.1 due to missing capability checks on several AJAX actions. This makes it possible for authenticated attackers with subscriber level permissions and above to invoke these functions which can be used to perform actions like modify form submission records, deleting files, sending test emails, modifying plugin settings, and more.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2023-25690
Publication date:
07/03/2023
Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.<br /> <br /> <br /> <br /> <br /> Configurations are affected when mod_proxy is enabled along with some form of RewriteRule<br /> or ProxyPassMatch in which a non-specific pattern matches<br /> some portion of the user-supplied request-target (URL) data and is then<br /> re-inserted into the proxied request-target using variable <br /> substitution. For example, something like:<br /> <br /> <br /> <br /> <br /> RewriteEngine on<br /> RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1"; [P]<br /> ProxyPassReverse /here/ http://example.com:8080/<br /> <br /> <br /> Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. Users are recommended to update to at least version 2.4.56 of Apache HTTP Server.
Severity CVSS v4.0: Pending analysis
Last modification:
18/12/2025
Subscribe to Vulnerabilities