Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-36905
Publication date:
17/11/2022
Multiple Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerabilities in Quiz And Survey Master plugin
Severity CVSS v4.0: Pending analysis
Last modification:
22/11/2022

CVE-2022-44001
Publication date:
17/11/2022
An issue was discovered in BACKCLICK Professional 5.9.63. User authentication for accessing the CORBA back-end services can be bypassed.
Severity CVSS v4.0: Pending analysis
Last modification:
29/04/2025

CVE-2022-44725
Publication date:
17/11/2022
OPC Foundation Local Discovery Server (LDS) through 1.04.403.478 uses a hard-coded file path to a configuration file. This allows a normal user to create a malicious file that is loaded by LDS (running as a high-privilege user).
Severity CVSS v4.0: Pending analysis
Last modification:
29/04/2025

CVE-2022-45072
Publication date:
17/11/2022
Cross-Site Request Forgery (CSRF) vulnerability in WPML Multilingual CMS premium plugin
Severity CVSS v4.0: Pending analysis
Last modification:
22/11/2022

CVE-2022-45071
Publication date:
17/11/2022
Cross-Site Request Forgery (CSRF) vulnerability in WPML Multilingual CMS premium plugin
Severity CVSS v4.0: Pending analysis
Last modification:
22/11/2022

CVE-2021-31608
Publication date:
17/11/2022
Proofpoint Enterprise Protection before 18.8.0 allows a Bypass of a Security Control.
Severity CVSS v4.0: Pending analysis
Last modification:
30/04/2025

CVE-2022-39389
Publication date:
17/11/2022
Lightning Network Daemon (lnd) is an implementation of a lightning bitcoin overlay network node. All lnd nodes before version `v0.15.4` are vulnerable to a block parsing bug that can cause a node to enter a degraded state once encountered. In this degraded state, nodes can continue to make payments and forward HTLCs, and close out channels. Opening channels is prohibited, and also on chain transaction events will be undetected. This can cause loss of funds if a CSV expiry is researched during a breach attempt or a CLTV delta expires forgetting the funds in the HTLC. A patch is available in `lnd` version 0.15.4. Users are advised to upgrade. Users unable to upgrade may use the `lncli updatechanpolicy` RPC call to increase their CLTV value to a very high amount or increase their fee policies. This will prevent nodes from routing through your node, meaning that no pending HTLCs can be present.
Severity CVSS v4.0: Pending analysis
Last modification:
22/11/2022

CVE-2022-43192
Publication date:
17/11/2022
An arbitrary file upload vulnerability in the component /dede/file_manage_control.php of Dedecms v5.7.101 allows attackers to execute arbitrary code via a crafted PHP file. This vulnerability is related to an incomplete fix for CVE-2022-40886.
Severity CVSS v4.0: Pending analysis
Last modification:
29/04/2025

CVE-2022-3090
Publication date:
17/11/2022
Red Lion Controls Crimson 3.0 versions 707.000 and prior, Crimson 3.1 versions 3126.001 and prior, and Crimson 3.2 versions 3.2.0044.0 and prior are vulnerable to path traversal. When attempting to open a file using a specific path, the user's password hash is sent to an arbitrary host. This could allow an attacker to obtain user credential hashes.
Severity CVSS v4.0: Pending analysis
Last modification:
22/11/2022

CVE-2022-38461
Publication date:
17/11/2022
Broken Access Control vulnerability in WPML Multilingual CMS premium plugin
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2023

CVE-2022-42903
Publication date:
17/11/2022
Zoho ManageEngine SupportCenter Plus through 11024 allows low-privileged users to view the organization users list.
Severity CVSS v4.0: Pending analysis
Last modification:
30/04/2025

CVE-2022-43163
Publication date:
17/11/2022
Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /clients/view_client.php.
Severity CVSS v4.0: Pending analysis
Last modification:
29/04/2025
Subscribe to Vulnerabilities