Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-27984
Publication date:
26/04/2022
CuppaCMS v1.0 was discovered to contain a SQL injection vulnerability via the menu_filter parameter at /administrator/templates/default/html/windows/right.php.
Severity CVSS v4.0: Pending analysis
Last modification:
05/05/2022

CVE-2022-27985
Publication date:
26/04/2022
CuppaCMS v1.0 was discovered to contain a SQL injection vulnerability via /administrator/alerts/alertLightbox.php.
Severity CVSS v4.0: Pending analysis
Last modification:
05/05/2022

CVE-2022-27468
Publication date:
26/04/2022
Monstaftp v2.10.3 was discovered to contain an arbitrary file upload which allows attackers to execute arbitrary code via a crafted file uploaded to the web server.
Severity CVSS v4.0: Pending analysis
Last modification:
05/05/2022

CVE-2022-27469
Publication date:
26/04/2022
Monstaftp v2.10.3 was discovered to allow attackers to execute Server-Side Request Forgery (SSRF).
Severity CVSS v4.0: Pending analysis
Last modification:
05/05/2022

CVE-2022-27299
Publication date:
26/04/2022
Hospital Management System v1.0 was discovered to contain a SQL injection vulnerability via the component room.php.
Severity CVSS v4.0: Pending analysis
Last modification:
05/05/2022

CVE-2022-24706
Publication date:
26/04/2022
In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges. The CouchDB documentation has always made recommendations for properly securing an installation, including recommending using a firewall in front of all CouchDB installations.
Severity CVSS v4.0: Pending analysis
Last modification:
28/10/2025

CVE-2022-29806
Publication date:
26/04/2022
ZoneMinder before 1.36.13 allows remote code execution via an invalid language. Ability to create a debug log file at an arbitrary pathname contributes to exploitability.
Severity CVSS v4.0: Pending analysis
Last modification:
06/05/2022

CVE-2022-29499
Publication date:
26/04/2022
The Service Appliance component in Mitel MiVoice Connect through 19.2 SP3 allows remote code execution because of incorrect data validation. The Service Appliances are SA 100, SA 400, and Virtual SA.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2022-24880
Publication date:
25/04/2022
flask-session-captcha is a package which allows users to extend Flask by adding an image based captcha stored in a server side session. In versions prior to 1.2.1, he `captcha.validate()` function would return `None` if passed no value (e.g. by submitting an having an empty form). If implementing users were checking the return value to be **False**, the captcha verification check could be bypassed. Version 1.2.1 fixes the issue. Users can workaround the issue by not explicitly checking that the value is False. Checking the return value less explicitly should still work.
Severity CVSS v4.0: Pending analysis
Last modification:
05/05/2022

CVE-2021-35250
Publication date:
25/04/2022
A researcher reported a Directory Transversal Vulnerability in Serv-U 15.3. This may allow access to files relating to the Serv-U installation and server files. This issue has been resolved in Serv-U 15.3 Hotfix 1.
Severity CVSS v4.0: Pending analysis
Last modification:
17/09/2024

CVE-2022-23457
Publication date:
25/04/2022
ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, the default implementation of `Validator.getValidDirectoryPath(String, String, File, boolean)` may incorrectly treat the tested input string as a child of the specified parent directory. This potentially could allow control-flow bypass checks to be defeated if an attack can specify the entire string representing the 'input' path. This vulnerability is patched in release 2.3.0.0 of ESAPI. As a workaround, it is possible to write one's own implementation of the Validator interface. However, maintainers do not recommend this.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2022-29418
Publication date:
25/04/2022
Authenticated (admin user role) Persistent Cross-Site Scripting (XSS) in Mark Daniels Night Mode plugin
Severity CVSS v4.0: Pending analysis
Last modification:
05/05/2022
Subscribe to Vulnerabilities