Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-28982
Publication date:
22/09/2022
A cross-site scripting (XSS) vulnerability in Liferay Portal v7.3.3 through v7.4.2 and Liferay DXP v7.3 before service pack 3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the name of a tag.
Severity CVSS v4.0: Pending analysis
Last modification:
27/05/2025

CVE-2022-28979
Publication date:
22/09/2022
Liferay Portal v7.1.0 through v7.4.2 and Liferay DXP 7.1 before fix pack 26, 7.2 before fix pack 15, and 7.3 before service pack 3 was discovered to contain a cross-site scripting (XSS) vulnerability in the Portal Search module's Custom Facet widget. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Custom Parameter Name text field.
Severity CVSS v4.0: Pending analysis
Last modification:
27/05/2025

CVE-2022-28978
Publication date:
22/09/2022
Stored cross-site scripting (XSS) vulnerability in the Site module's user membership administration page in Liferay Portal 7.0.1 through 7.4.1, and Liferay DXP 7.0 before fix pack 102, 7.1 before fix pack 26, 7.2 before fix pack 15, and 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the a user's name.
Severity CVSS v4.0: Pending analysis
Last modification:
27/05/2025

CVE-2022-39224
Publication date:
21/09/2022
Arr-pm is an RPM reader/writer library written in Ruby. Versions prior to 0.0.12 are subject to OS command injection resulting in shell execution if the RPM contains a malicious "payload compressor" field. This vulnerability impacts the `extract` and `files` methods of the `RPM::File` class of this library. Version 0.0.12 patches these issues. A workaround for this issue is to ensure any RPMs being processed contain valid/known payload compressor values such as gzip, bzip2, xz, zstd, and lzma. The payload compressor field in an rpm can be checked by using the rpm command line tool.
Severity CVSS v4.0: Pending analysis
Last modification:
26/09/2022

CVE-2022-35895
Publication date:
21/09/2022
An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. The FwBlockSericceSmm driver does not properly validate input parameters for a software SMI routine, leading to memory corruption of arbitrary addresses including SMRAM, and possible arbitrary code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
05/05/2025

CVE-2022-40217
Publication date:
21/09/2022
Authenticated (admin+) Arbitrary File Edit/Upload vulnerability in XplodedThemes WPide plugin
Severity CVSS v4.0: Pending analysis
Last modification:
20/02/2025

CVE-2022-36365
Publication date:
21/09/2022
Multiple Authenticated (contributor+) Stored Cross-Site Scripting (XSS) vulnerabilities in WHA Crossword plugin
Severity CVSS v4.0: Pending analysis
Last modification:
23/09/2022

CVE-2022-36383
Publication date:
21/09/2022
Multiple Authenticated (contributor+) Stored Cross-Site Scripting (XSS) vulnerabilities in WHA Word Search Puzzles game plugin
Severity CVSS v4.0: Pending analysis
Last modification:
23/09/2022

CVE-2022-36386
Publication date:
21/09/2022
Authenticated Arbitrary Code Execution vulnerability in Soflyy Import any XML or CSV File to WordPress plugin
Severity CVSS v4.0: Pending analysis
Last modification:
20/02/2025

CVE-2022-36390
Publication date:
21/09/2022
Authenticated (subscriber+) Reflected Cross-Site Scripting (XSS) vulnerability in Totalsoft Event Calendar – Calendar plugin
Severity CVSS v4.0: Pending analysis
Last modification:
23/09/2022

CVE-2022-38073
Publication date:
21/09/2022
Multiple Authenticated (custom specific plugin role) Persistent Cross-Site Scripting (XSS) vulnerability in Awesome Support plugin
Severity CVSS v4.0: Pending analysis
Last modification:
23/09/2022

CVE-2022-3233
Publication date:
21/09/2022
Cross-Site Request Forgery (CSRF) in GitHub repository ikus060/rdiffweb prior to 2.4.6.
Severity CVSS v4.0: Pending analysis
Last modification:
23/09/2022
Subscribe to Vulnerabilities