Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-2943

Publication date:

06/09/2022

The WordPress Infinite Scroll – Ajax Load More plugin for Wordpress is vulnerable to arbitrary file reading in versions up to, and including, 5.5.3 due to insufficient file path validation on the alm_repeaters_export() function. This makes it possible for authenticated attackers, with administrative privileges, to download arbitrary files hosted on the server that may contain sensitive content, such as the wp-config.php file.

Severity CVSS v4.0: Pending analysis

Last modification:

05/05/2025

CVE-2022-38289

Publication date:

06/09/2022

Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2022-35931

Publication date:

06/09/2022

Nextcloud Password Policy is an app that enables a Nextcloud server admin to define certain rules for passwords. Prior to versions 22.2.10, 23.0.7, and 24.0.3 the random password generator may, in very rare cases, generate common passwords that the validator itself would block. Upgrade Nextcloud Server to 22.2.10, 23.0.7 or 24.0.3 to receive a patch for the issue in Password Policy. There are no known workarounds available.

Severity CVSS v4.0: Pending analysis

Last modification:

09/09/2022

CVE-2022-34867

Publication date:

06/09/2022

Unauthenticated Sensitive Information Disclosure vulnerability in WP Libre Form 2 plugin

Severity CVSS v4.0: Pending analysis

Last modification:

09/09/2022

CVE-2022-32264

Publication date:

06/09/2022

sys/netinet/tcp_timer.h in FreeBSD before 7.0 contains a denial-of-service (DoS) vulnerability due to improper handling of TSopt on TCP connections. NOTE: This vulnerability only affects products that are no longer supported by the maintainer

Severity CVSS v4.0: Pending analysis

Last modification:

17/06/2025

CVE-2022-30298

Publication date:

06/09/2022

An improper privilege management vulnerability [CWE-269] in Fortinet FortiSOAR before 7.2.1 allows a GUI user who has already found a way to modify system files (via another, unrelated and hypothetical exploit) to execute arbitrary Python commands as root.

Severity CVSS v4.0: Pending analysis

Last modification:

09/09/2022

CVE-2022-34656

Publication date:

06/09/2022

Authenticated (admin+) Cross-Site Scripting (XSS) vulnerability in wpdevart Poll, Survey, Questionnaire and Voting system plugin

Severity CVSS v4.0: Pending analysis

Last modification:

09/09/2022

CVE-2022-33177

Publication date:

06/09/2022

Cross-Site Request Forgery (CSRF) vulnerability in WPdevelop/Oplugins Booking Calendar plugin

Severity CVSS v4.0: Pending analysis

Last modification:

09/09/2022

CVE-2022-31860

Publication date:

06/09/2022

An issue was discovered in OpenRemote through 1.0.4 allows attackers to execute arbitrary code via a crafted Groovy rule.

Severity CVSS v4.0: Pending analysis

Last modification:

12/06/2025

CVE-2022-2735

Publication date:

06/09/2022

A vulnerability was found in the PCS project. This issue occurs due to incorrect permissions on a Unix socket used for internal communication between PCS daemons. A privilege escalation could happen by obtaining an authentication token for a hacluster user. With the "hacluster" token, this flaw allows an attacker to have complete control over the cluster managed by PCS.

Severity CVSS v4.0: Pending analysis

Last modification:

25/01/2024

CVE-2022-2633

Publication date:

06/09/2022

The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file downloads and blind server-side request forgery via the &#39;dl&#39; parameter found in the ~/public/video.php file in versions up to, and including 2.6.0. This makes it possible for unauthenticated users to download sensitive files hosted on the affected server and forge requests to the server.

Severity CVSS v4.0: Pending analysis

Last modification:

11/01/2024

CVE-2022-2516

Publication date:

06/09/2022

The Visual Composer Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the post/page &#39;Title&#39; value in versions up to, and including, 45.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with access to the visual composer editor to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Severity CVSS v4.0: Pending analysis

Last modification:

13/09/2022

Subscribe to Vulnerabilities