Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-25860

Publication date:

26/01/2023

Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization. This vulnerability exists due to an incomplete fix of [CVE-2022-25912](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221).

Severity CVSS v4.0: Pending analysis

Last modification:

01/04/2025

CVE-2022-25882

Publication date:

26/01/2023

Versions of the package onnx before 1.13.0 are vulnerable to Directory Traversal as the external_data field of the tensor proto can have a path to the file which is outside the model current directory or user-provided directory, for example "../../../etc/passwd"

Severity CVSS v4.0: Pending analysis

Last modification:

01/04/2025

CVE-2022-25908

Publication date:

26/01/2023

All versions of the package create-choo-electron are vulnerable to Command Injection via the devInstall function due to improper user-input sanitization.

Severity CVSS v4.0: Pending analysis

Last modification:

01/04/2025

CVE-2022-25894

Publication date:

26/01/2023

All versions of the package com.bstek.uflo:uflo-core are vulnerable to Remote Code Execution (RCE) in the ExpressionContextImpl class via jexl.createExpression(expression).evaluate(context); functionality, due to improper user input validation.

Severity CVSS v4.0: Pending analysis

Last modification:

01/04/2025

CVE-2022-25847

Publication date:

26/01/2023

All versions of the package serve-lite are vulnerable to Cross-site Scripting (XSS) because when it detects a request to a directory, it renders a file listing of all of its contents with links that include the actual file names without any sanitization or output encoding.

Severity CVSS v4.0: Pending analysis

Last modification:

01/04/2025

CVE-2022-22462

Publication date:

26/01/2023

IBM Security Verify Governance, Identity Manager virtual appliance component 10.0.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 225078.

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2022-25350

Publication date:

26/01/2023

All versions of the package puppet-facter are vulnerable to Command Injection via the getFact function due to improper input sanitization.

Severity CVSS v4.0: Pending analysis

Last modification:

01/04/2025

CVE-2022-21192

Publication date:

26/01/2023

All versions of the package serve-lite are vulnerable to Directory Traversal due to missing input sanitization or other checks and protections employed to the req.url passed as-is to path.join().

Severity CVSS v4.0: Pending analysis

Last modification:

01/04/2025

CVE-2022-20494

Publication date:

26/01/2023

In AutomaticZenRule of AutomaticZenRule.java, there is a possible persistent DoS due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12L Android-13Android ID: A-243794204

Severity CVSS v4.0: Pending analysis

Last modification:

03/04/2025

CVE-2022-20493

Publication date:

26/01/2023

In Condition of Condition.java, there is a possible way to grant notification access due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12L Android-13Android ID: A-242846316

Severity CVSS v4.0: Pending analysis

Last modification:

03/04/2025

CVE-2022-21810

Publication date:

26/01/2023

All versions of the package smartctl are vulnerable to Command Injection via the info method due to improper input sanitization.

Severity CVSS v4.0: Pending analysis

Last modification:

01/04/2025

CVE-2022-20489

Publication date:

26/01/2023

In many functions of AutomaticZenRule.java, there is a possible failure to persist permissions settings due to resource exhaustion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12L Android-13Android ID: A-242703460

Severity CVSS v4.0: Pending analysis

Last modification:

02/04/2025

Subscribe to Vulnerabilities