Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-38756

Publication date:

16/12/2022

A vulnerability has been identified in Micro Focus GroupWise Web in versions prior to 18.4.2. The GW Web component makes a request to the Post Office Agent that contains sensitive information in the query parameters that could be logged by any intervening HTTP proxies.

Severity CVSS v4.0: Pending analysis

Last modification:

18/04/2025

CVE-2022-37832

Publication date:

16/12/2022

Mutiny 7.2.0-10788 suffers from Hardcoded root password.

Severity CVSS v4.0: Pending analysis

Last modification:

18/04/2025

CVE-2022-26582

Publication date:

16/12/2022

PAX A930 device with PayDroid_7.1.1_Virgo_V04.3.26T1_20210419 can allow an attacker to gain root access through command injection in systool client. The attacker must have shell access to the device in order to exploit this vulnerability.

Severity CVSS v4.0: Pending analysis

Last modification:

03/07/2024

CVE-2021-31650

Publication date:

16/12/2022

A SQL injection vulnerability in Sourcecodester Online Grading System 1.0 allows remote attackers to execute arbitrary SQL commands via the uname parameter.

Severity CVSS v4.0: Pending analysis

Last modification:

21/04/2025

CVE-2021-38241

Publication date:

16/12/2022

Deserialization issue discovered in Ruoyi before 4.6.1 allows remote attackers to run arbitrary code via weak cipher in Shiro framework.

Severity CVSS v4.0: Pending analysis

Last modification:

21/04/2025

CVE-2022-23490

Publication date:

16/12/2022

BigBlueButton is an open source web conferencing system. Versions prior to 2.4.0 expose sensitive information to Unauthorized Actors. This issue affects meetings with polls, where the attacker is a meeting participant. Subscribing to the current-poll collection does not update the client UI, but does give the attacker access to the contents of the collection, which include the individual poll responses. This issue is patched in version 2.4.0. There are no workarounds.

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2022-26579

Publication date:

16/12/2022

PAX A930 device with PayDroid_7.1.1_Virgo_V04.3.26T1_20210419 can allow a root privileged attacker to install unsigned packages. The attacker must have shell access to the device and gain root privileges in order to exploit this vulnerability.

Severity CVSS v4.0: Pending analysis

Last modification:

27/10/2024

CVE-2022-26580

Publication date:

16/12/2022

PAX A930 device with PayDroid_7.1.1_Virgo_V04.3.26T1_20210419 can allow the execution of specific command injections on selected binaries in the ADB daemon shell service. The attacker must have physical USB access to the device in order to exploit this vulnerability.

Severity CVSS v4.0: Pending analysis

Last modification:

28/10/2024

CVE-2022-26581

Publication date:

16/12/2022

PAX A930 device with PayDroid_7.1.1_Virgo_V04.3.26T1_20210419 can allow an unauthorized attacker to perform privileged actions through the execution of specific binaries listed in ADB daemon. The attacker must have physical USB access to the device in order to exploit this vulnerability.

Severity CVSS v4.0: Pending analysis

Last modification:

03/07/2024

CVE-2022-46670

Publication date:

16/12/2022

Rockwell Automation was made aware of a vulnerability by a security researcher from Georgia Institute of Technology that the MicroLogix 1100 and 1400 controllers contain a vulnerability that may give an attacker the ability to accomplish remote code execution. The vulnerability is an unauthenticated stored cross-site scripting vulnerability in the embedded webserver. The payload is transferred to the controller over SNMP and is rendered on the homepage of the embedded website.

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2022-3157

Publication date:

16/12/2022

A vulnerability exists in the Rockwell Automation controllers that allows a malformed CIP request to cause a major non-recoverable fault (MNRF) and a denial-of-service condition (DOS).

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2022-47210

Publication date:

16/12/2022

The default console presented to users over telnet (when enabled) is restricted to a subset of commands. Commands issued at this console, however, appear to be fed directly into a system call or other similar function. This allows any authenticated user to execute arbitrary commands on the device.

Severity CVSS v4.0: Pending analysis

Last modification:

17/04/2025

Subscribe to Vulnerabilities