Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-27908
Publication date:
18/04/2022
Zoho ManageEngine OpManager before 125588 (and before 125603) is vulnerable to authenticated SQL Injection in the Inventory Reports module.
Severity CVSS v4.0: Pending analysis
Last modification:
26/04/2022

CVE-2022-28810
Publication date:
18/04/2022
Zoho ManageEngine ADSelfService Plus before build 6122 allows a remote authenticated administrator to execute arbitrary operating OS commands as SYSTEM via the policy custom script feature. Due to the use of a default administrator password, attackers may be able to abuse this functionality with minimal effort. Additionally, a remote and partially authenticated attacker may be able to inject arbitrary commands into the custom script due to an unsanitized password field.
Severity CVSS v4.0: Pending analysis
Last modification:
31/10/2025

CVE-2022-1382
Publication date:
18/04/2022
NULL Pointer Dereference in GitHub repository radareorg/radare2 prior to 5.6.8. This vulnerability is capable of making the radare2 crash, thus affecting the availability of the system.
Severity CVSS v4.0: Pending analysis
Last modification:
26/04/2022

CVE-2022-1383
Publication date:
18/04/2022
Heap-based Buffer Overflow in GitHub repository radareorg/radare2 prior to 5.6.8. The bug causes the program reads data past the end of the intented buffer. Typically, this can allow attackers to read sensitive information from other memory locations or cause a crash.
Severity CVSS v4.0: Pending analysis
Last modification:
26/04/2022

CVE-2022-1381
Publication date:
18/04/2022
global heap buffer overflow in skip_range in GitHub repository vim/vim prior to 8.2.4763. This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-28966
Publication date:
16/04/2022
Wasm3 0.5.0 has a heap-based buffer overflow in NewCodePage in m3_code.c (called indirectly from Compile_BranchTable in m3_compile.c).
Severity CVSS v4.0: Pending analysis
Last modification:
26/04/2022

CVE-2022-26653
Publication date:
16/04/2022
Zoho ManageEngine Remote Access Plus before 10.1.2137.15 allows guest users to view domain details (such as the username and GUID of an administrator).
Severity CVSS v4.0: Pending analysis
Last modification:
08/08/2023

CVE-2022-26777
Publication date:
16/04/2022
Zoho ManageEngine Remote Access Plus before 10.1.2137.15 allows guest users to view license details.
Severity CVSS v4.0: Pending analysis
Last modification:
08/08/2023

CVE-2022-1380
Publication date:
16/04/2022
Stored Cross Site Scripting vulnerability in Item name parameter in GitHub repository snipe/snipe-it prior to v5.4.3. The vulnerability is capable of stolen the user Cookie.
Severity CVSS v4.0: Pending analysis
Last modification:
25/04/2022

CVE-2022-29020
Publication date:
16/04/2022
ForestBlog through 2022-02-16 allows admin/profile/save userAvatar XSS during addition of a user avatar.
Severity CVSS v4.0: Pending analysis
Last modification:
25/04/2022

CVE-2022-29287
Publication date:
16/04/2022
Kentico CMS before 13.0.66 has an Insecure Direct Object Reference vulnerability. It allows an attacker with user management rights (default is Administrator) to export the user options of any user, even ones with higher privileges (like Global Administrators) than the current user. The exported XML contains every option of the exported user (even the hashed password).
Severity CVSS v4.0: Pending analysis
Last modification:
19/12/2025

CVE-2022-1365
Publication date:
15/04/2022
Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository lquixada/cross-fetch prior to 3.1.5.
Severity CVSS v4.0: Pending analysis
Last modification:
22/11/2022
Subscribe to Vulnerabilities