Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-36865
Publication date:
30/09/2022
Insecure direct object references (IDOR) vulnerability in ExpressTech Quiz And Survey Master plugin
Severity CVSS v4.0: Pending analysis
Last modification:
20/02/2025

CVE-2022-41975
Publication date:
30/09/2022
RealVNC VNC Server before 6.11.0 and VNC Viewer before 6.22.826 on Windows allow local privilege escalation via MSI installer Repair mode.
Severity CVSS v4.0: Pending analysis
Last modification:
20/05/2025

CVE-2022-41870
Publication date:
30/09/2022
AP Manager in Innovaphone before 13r2 Service Release 17 allows command injection via a modified service ID during app upload.
Severity CVSS v4.0: Pending analysis
Last modification:
20/05/2025

CVE-2022-40944
Publication date:
30/09/2022
Dairy Farm Shop Management System 1.0 is vulnerable to SQL Injection via sales-report-ds.php file.
Severity CVSS v4.0: Pending analysis
Last modification:
20/05/2025

CVE-2021-33354
Publication date:
30/09/2022
Directory Traversal vulnerability in htmly before 2.8.1 allows remote attackers to perform arbitrary file deletions via modified file parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
20/05/2025

CVE-2022-40313
Publication date:
30/09/2022
Recursive rendering of Mustache template helpers containing user input could, in some cases, result in an XSS risk or a page failing to load.
Severity CVSS v4.0: Pending analysis
Last modification:
20/05/2025

CVE-2022-40314
Publication date:
30/09/2022
A remote code execution risk when restoring backup files originating from Moodle 1.9 was identified.
Severity CVSS v4.0: Pending analysis
Last modification:
20/05/2025

CVE-2022-40315
Publication date:
30/09/2022
A limited SQL injection risk was identified in the "browse list of users" site administration page.
Severity CVSS v4.0: Pending analysis
Last modification:
20/05/2025

CVE-2022-40277
Publication date:
30/09/2022
Joplin version 2.8.8 allows an external attacker to execute arbitrary commands remotely on any client that opens a link in a malicious markdown file, via Joplin. This is possible because the application does not properly validate the schema/protocol of existing links in the markdown file before passing them to the 'shell.openExternal' function.
Severity CVSS v4.0: Pending analysis
Last modification:
20/05/2025

CVE-2022-40274
Publication date:
30/09/2022
Gridea version 0.9.3 allows an external attacker to execute arbitrary code remotely on any client attempting to view a malicious markdown file through Gridea. This is possible because the application has the 'nodeIntegration' option enabled.
Severity CVSS v4.0: Pending analysis
Last modification:
20/05/2025

CVE-2022-40316
Publication date:
30/09/2022
The H5P activity attempts report did not filter by groups, which in separate groups mode could reveal information to non-editing teachers about attempts/users in groups they should not have access to.
Severity CVSS v4.0: Pending analysis
Last modification:
20/05/2025

CVE-2022-36961
Publication date:
30/09/2022
A vulnerable component of Orion Platform was vulnerable to SQL Injection, an authenticated attacker could leverage this for privilege escalation or remote code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
16/09/2024
Subscribe to Vulnerabilities