Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-44037
Publication date:
29/11/2022
An access control issue in APsystems ENERGY COMMUNICATION UNIT (ECU-C) Power Control Software V4.1NA, V3.11.4, W2.1NA, V4.1SAA, C1.2.2 allows attackers to access sensitive data and execute specific commands and functions with full admin rights without authenticating allows him to perform multiple attacks, such as attacking wireless network in the product's range.
Severity CVSS v4.0: Pending analysis
Last modification:
25/04/2025

CVE-2022-36136
Publication date:
29/11/2022
ChurchCRM Version 4.4.5 has XSS vulnerabilities that allow attackers to store XSS via location input Deposit Comment.
Severity CVSS v4.0: Pending analysis
Last modification:
25/04/2025

CVE-2022-36137
Publication date:
29/11/2022
ChurchCRM Version 4.4.5 has XSS vulnerabilities that allow attackers to store XSS via location input sHeader.
Severity CVSS v4.0: Pending analysis
Last modification:
25/04/2025

CVE-2022-42109
Publication date:
29/11/2022
Online-shopping-system-advanced 1.0 was discovered to contain a SQL injection vulnerability via the p parameter at /shopping/product.php.
Severity CVSS v4.0: Pending analysis
Last modification:
25/04/2025

CVE-2022-42100
Publication date:
29/11/2022
KLiK SocialMediaWebsite Version 1.0.1 has XSS vulnerabilities that allow attackers to store XSS via location input reply-form.
Severity CVSS v4.0: Pending analysis
Last modification:
25/04/2025

CVE-2022-42099
Publication date:
29/11/2022
KLiK SocialMediaWebsite Version 1.0.1 has XSS vulnerabilities that allow attackers to store XSS via location Forum Subject input.
Severity CVSS v4.0: Pending analysis
Last modification:
25/04/2025

CVE-2022-32967
Publication date:
29/11/2022
RTL8111EP-CG/RTL8111FP-CG DASH function has hard-coded password. An unauthenticated physical attacker can use the hard-coded default password during system reboot triggered by other user, to acquire partial system information such as serial number and server information.
Severity CVSS v4.0: Pending analysis
Last modification:
30/11/2022

CVE-2022-32966
Publication date:
29/11/2022
RTL8168FP-CG Dash remote management function has missing authorization. An unauthenticated attacker within the adjacent network can connect to DASH service port to disrupt service.
Severity CVSS v4.0: Pending analysis
Last modification:
30/11/2022

CVE-2022-41676
Publication date:
29/11/2022
Raiden MAILD Mail Server website mail field has insufficient filtering for user input. A remote attacker with general user privilege can send email using the website with malicious JavaScript in the input field, which triggers XSS (Reflected Cross-Site Scripting) attack to the mail recipient.
Severity CVSS v4.0: Pending analysis
Last modification:
01/12/2022

CVE-2022-41675
Publication date:
29/11/2022
A remote attacker with general user privilege can inject malicious code in the form content of Raiden MAILD Mail Server website. Other users export form content as CSV file can trigger arbitrary code execution and allow the attacker to perform arbitrary system operation or disrupt service on the user side.
Severity CVSS v4.0: Pending analysis
Last modification:
01/12/2022

CVE-2022-45306
Publication date:
29/11/2022
Insecure permissions in Chocolatey Azure-Pipelines-Agent package v2.211.1 and below grants all users in the Authenticated Users group write privileges for the subfolder C:\agent and all files located in that folder.
Severity CVSS v4.0: Pending analysis
Last modification:
25/04/2025

CVE-2022-45305
Publication date:
29/11/2022
Insecure permissions in Chocolatey Python3 package v3.11.0 and below grants all users in the Authenticated Users group write privileges for the subfolder C:\Python311 and all files located in that folder.
Severity CVSS v4.0: Pending analysis
Last modification:
25/04/2025
Subscribe to Vulnerabilities