Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-44291
Publication date:
02/12/2022
webTareas 2.4p5 was discovered to contain a SQL injection vulnerability via the id parameter in phasesets.php.
Severity CVSS v4.0: Pending analysis
Last modification:
24/04/2025

CVE-2022-2641
Publication date:
02/12/2022
Horner Automation’s RCC 972 with firmware version 15.40 has a static encryption key on the device. This could allow an attacker to perform unauthorized changes to the device, remotely execute arbitrary code, or cause a denial-of-service condition.
Severity CVSS v4.0: Pending analysis
Last modification:
06/12/2022

CVE-2022-2642
Publication date:
02/12/2022
Horner Automation’s RCC 972 firmware version 15.40 contains global variables. This could allow an attacker to read out sensitive values and variable keys from the device.
Severity CVSS v4.0: Pending analysis
Last modification:
06/12/2022

CVE-2022-2640
Publication date:
02/12/2022
The Config-files of Horner Automation’s RCC 972 with firmware version 15.40 are encrypted with weak XOR encryption vulnerable to reverse engineering. This could allow an attacker to obtain credentials to run services such as File Transfer Protocol (FTP) and Hypertext Transfer Protocol (HTTP).
Severity CVSS v4.0: Pending analysis
Last modification:
06/12/2022

CVE-2022-3520
Publication date:
02/12/2022
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0765.
Severity CVSS v4.0: Pending analysis
Last modification:
03/05/2023

CVE-2022-46167
Publication date:
02/12/2022
Capsule is a multi-tenancy and policy-based framework for Kubernetes. Prior to version 0.1.3, a ServiceAccount deployed in a Tenant Namespace, when granted with `PATCH` capabilities on its own Namespace, is able to edit it and remove the Owner Reference, breaking the reconciliation of the Capsule Operator and removing all the enforcement like Pod Security annotations, Network Policies, Limit Range and Resource Quota items. An attacker could detach the Namespace from a Tenant that is forbidding starting privileged Pods using the Pod Security labels by removing the OwnerReference, removing the enforcement labels, and being able to start privileged containers that would be able to start a generic Kubernetes privilege escalation. Patches have been released for version 0.1.3. No known workarounds are available.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-46145
Publication date:
02/12/2022
authentik is an open-source identity provider. Versions prior to 2022.11.2 and 2022.10.2 are vulnerable to unauthorized user creation and potential account takeover. With the default flows, unauthenticated users can create new accounts in authentik. If a flow exists that allows for email-verified password recovery, this can be used to overwrite the email address of admin accounts and take over their accounts. authentik 2022.11.2 and 2022.10.2 fix this issue. As a workaround, a policy can be created and bound to the `default-user-settings-flow flow` with the contents `return request.user.is_authenticated`.
Severity CVSS v4.0: Pending analysis
Last modification:
23/06/2023

CVE-2022-45667
Publication date:
02/12/2022
Tenda i22 V1.0.0.3(4687) is vulnerable to Cross Site Request Forgery (CSRF) via function fromSysToolRestoreSet.
Severity CVSS v4.0: Pending analysis
Last modification:
23/04/2025

CVE-2022-45668
Publication date:
02/12/2022
Tenda i22 V1.0.0.3(4687) is vulnerable to Cross Site Request Forgery (CSRF) via function fromSysToolReboot.
Severity CVSS v4.0: Pending analysis
Last modification:
24/04/2025

CVE-2022-45661
Publication date:
02/12/2022
Tenda AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow via the time parameter in the setSmartPowerManagement function.
Severity CVSS v4.0: Pending analysis
Last modification:
24/04/2025

CVE-2022-45663
Publication date:
02/12/2022
Tenda i22 V1.0.0.3(4687) was discovered to contain a buffer overflow via the index parameter in the formWifiMacFilterSet function.
Severity CVSS v4.0: Pending analysis
Last modification:
24/04/2025

CVE-2022-45664
Publication date:
02/12/2022
Tenda i22 V1.0.0.3(4687) was discovered to contain a buffer overflow via the list parameter in the formwrlSSIDget function.
Severity CVSS v4.0: Pending analysis
Last modification:
24/04/2025
Subscribe to Vulnerabilities