Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-27938
Publication date:
26/03/2022
stb_image.h (aka the stb image loader) 2.19, as used in libsixel and other products, has a reachable assertion in stbi__create_png_image_raw.
Severity CVSS v4.0: Pending analysis
Last modification:
31/03/2022

CVE-2022-27939
Publication date:
26/03/2022
tcprewrite in Tcpreplay 4.4.1 has a reachable assertion in get_layer4_v6 in common/get.c.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-27940
Publication date:
26/03/2022
tcprewrite in Tcpreplay 4.4.1 has a heap-based buffer over-read in get_ipv6_next in common/get.c.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-27941
Publication date:
26/03/2022
tcprewrite in Tcpreplay 4.4.1 has a heap-based buffer over-read in get_l2len_protocol in common/get.c.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-27942
Publication date:
26/03/2022
tcpprep in Tcpreplay 4.4.1 has a heap-based buffer over-read in parse_mpls in common/get.c.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-27943
Publication date:
26/03/2022
libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-1071
Publication date:
26/03/2022
User after free in mrb_vm_exec in GitHub repository mruby/mruby prior to 3.2.
Severity CVSS v4.0: Pending analysis
Last modification:
31/03/2022

CVE-2022-22274
Publication date:
25/03/2022
A Stack-based buffer overflow vulnerability in the SonicOS via HTTP request allows a remote unauthenticated attacker to cause Denial of Service (DoS) or potentially results in code execution in the firewall.
Severity CVSS v4.0: Pending analysis
Last modification:
31/03/2022

CVE-2021-40904
Publication date:
25/03/2022
The web management console of CheckMK Raw Edition (versions 1.5.0 to 1.6.0) allows a misconfiguration of the web-app Dokuwiki (installed by default), which allows embedded php code. As a result, remote code execution is achieved. Successful exploitation requires access to the web management interface, either with valid credentials or with a hijacked session by a user with the role of administrator.
Severity CVSS v4.0: Pending analysis
Last modification:
23/07/2024

CVE-2021-40906
Publication date:
25/03/2022
CheckMK Raw Edition software (versions 1.5.0 to 1.6.0) does not sanitise the input of a web service parameter that is in an unauthenticated zone. This Reflected XSS allows an attacker to open a backdoor on the device with HTML content and interpreted by the browser (such as JavaScript or other client-side scripts) or to steal the session cookies of a user who has previously authenticated via a man in the middle. Successful exploitation requires access to the web service resource without authentication.
Severity CVSS v4.0: Pending analysis
Last modification:
23/07/2024

CVE-2021-40905
Publication date:
25/03/2022
The web management console of CheckMK Enterprise Edition (versions 1.5.0 to 2.0.0p9) does not properly sanitise the uploading of ".mkp" files, which are Extension Packages, making remote code execution possible. Successful exploitation requires access to the web management interface, either with valid credentials or with a hijacked session of a user with administrator role. NOTE: the vendor states that this is the intended behavior: admins are supposed to be able to execute code in this manner
Severity CVSS v4.0: Pending analysis
Last modification:
04/08/2024

CVE-2022-22995
Publication date:
25/03/2022
The combination of primitives offered by SMB and AFP in their default configuration allows the arbitrary writing of files. By exploiting these combination of primitives, an attacker can execute arbitrary code.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025
Subscribe to Vulnerabilities