Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-40954
Publication date:
22/11/2022
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Spark Provider, Apache Airflow allows an attacker to read arbtrary files in the task execution context, without write access to DAG files. This issue affects Spark Provider versions prior to 4.0.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case Spark Provider is installed (Spark Provider 4.0.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the Spark Provider version 4.0.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version that has lower version of the Spark Provider installed).
Severity CVSS v4.0: Pending analysis
Last modification:
29/04/2025

CVE-2022-40189
Publication date:
22/11/2022
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Pig Provider, Apache Airflow allows an attacker to control commands executed in the task execution context, without write access to DAG files. This issue affects Pig Provider versions prior to 4.0.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case Pig Provider is installed (Pig Provider 4.0.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the Pig Provider version 4.0.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version.
Severity CVSS v4.0: Pending analysis
Last modification:
29/04/2025

CVE-2022-38649
Publication date:
22/11/2022
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Pinot Provider, Apache Airflow allows an attacker to control commands executed in the task execution context, without write access to DAG files. This issue affects Apache Airflow Pinot Provider versions prior to 4.0.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case Apache Airflow Pinot Provider is installed (Apache Airflow Pinot Provider 4.0.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the Pinot Provider version 4.0.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version.
Severity CVSS v4.0: Pending analysis
Last modification:
29/04/2025

CVE-2022-45363
Publication date:
22/11/2022
Auth. (subscriber+) Stored Cross-Site Scripting (XSS) in Muffingroup Betheme theme
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-37931
Publication date:
22/11/2022
A vulnerability in NetBatch-Plus software allows unauthorized access to the application. <br /> <br /> HPE has provided a workaround and fix. Please refer to HPE Security Bulletin <br /> <br /> HPESBNS04388 <br /> <br /> for details.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-4111
Publication date:
22/11/2022
Unrestricted file size limit can lead to DoS in tooljet/tooljet
Severity CVSS v4.0: Pending analysis
Last modification:
11/07/2023

CVE-2022-40602
Publication date:
22/11/2022
A flaw in the Zyxel LTE3301-M209 firmware verisons prior to V1.00(ABLG.6)C0 could allow a remote attacker to access the device using an improper pre-configured password if the remote administration feature has been enabled by an authenticated administrator.
Severity CVSS v4.0: Pending analysis
Last modification:
26/11/2022

CVE-2022-36227
Publication date:
22/11/2022
In libarchive before 3.6.2, the software does not check for an error after calling calloc function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference. NOTE: the discoverer cites this CWE-476 remark but third parties dispute the code-execution impact: "In rare circumstances, when NULL is equivalent to the 0x0 memory address and privileged code can access it, then writing or reading memory is possible, which may lead to code execution."
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2022-35407
Publication date:
22/11/2022
An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. A stack buffer overflow leads to arbitrary code execution in the SetupUtility driver on Intel platforms. An attacker can change the values of certain UEFI variables. If the size of the second variable exceeds the size of the first, then the buffer will be overwritten. This issue affects the SetupUtility driver of InsydeH2O.
Severity CVSS v4.0: Pending analysis
Last modification:
29/04/2025

CVE-2022-43214
Publication date:
22/11/2022
Billing System Project v1.0 was discovered to contain a SQL injection vulnerability via the orderId parameter at printOrder.php.
Severity CVSS v4.0: Pending analysis
Last modification:
29/04/2025

CVE-2022-43215
Publication date:
22/11/2022
Billing System Project v1.0 was discovered to contain a SQL injection vulnerability via the endDate parameter at getOrderReport.php.
Severity CVSS v4.0: Pending analysis
Last modification:
29/04/2025

CVE-2022-43685
Publication date:
22/11/2022
CKAN through 2.9.6 account takeovers by unauthenticated users when an existing user id is sent via an HTTP POST request. This allows a user to take over an existing account including superuser accounts.
Severity CVSS v4.0: Pending analysis
Last modification:
29/04/2025
Subscribe to Vulnerabilities