Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-25082
Publication date:
24/02/2022
TOTOLink A950RG V5.9c.4050_B20190424 and V4.1.2cu.5204_B20210112 were discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
08/08/2023

CVE-2022-25083
Publication date:
24/02/2022
TOTOLink A860R V4.1.2cu.5182_B20201027 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
08/08/2023

CVE-2022-25084
Publication date:
24/02/2022
TOTOLink T6 V5.9c.4085_B20190428 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
08/08/2023

CVE-2022-24374
Publication date:
24/02/2022
Cross-site scripting vulnerability in a-blog cms Ver.2.8.x series versions prior to Ver.2.8.75, Ver.2.9.x series versions prior to Ver.2.9.40, Ver.2.10.x series versions prior to Ver.2.10.44, Ver.2.11.x series versions prior to Ver.2.11.42, and Ver.3.0.x series versions prior to Ver.3.0.1 allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors. This vulnerability is different from CVE-2022-23916.
Severity CVSS v4.0: Pending analysis
Last modification:
02/03/2022

CVE-2022-24435
Publication date:
24/02/2022
Cross-site scripting vulnerability in phpUploader v1.2 and earlier allows a remote unauthenticated attacker to inject an arbitrary script via unspecified vectors.
Severity CVSS v4.0: Pending analysis
Last modification:
02/03/2022

CVE-2022-24565
Publication date:
24/02/2022
Checkmk
Severity CVSS v4.0: Pending analysis
Last modification:
23/07/2024

CVE-2022-24566
Publication date:
24/02/2022
In Checkmk
Severity CVSS v4.0: Pending analysis
Last modification:
23/07/2024

CVE-2022-24582
Publication date:
24/02/2022
Accounting Journal Management 1.0 is vulnerable to XSS-PHPSESSID-Hijacking. The parameter manage_user from User lists is vulnerable to XSS-Stored and PHPSESSID attacks. The malicious user can attack the system by using the already session which he has from inside and outside of the network.
Severity CVSS v4.0: Pending analysis
Last modification:
02/03/2022

CVE-2022-24613
Publication date:
24/02/2022
metadata-extractor up to 2.16.0 can throw various uncaught exceptions while parsing a specially crafted JPEG file, which could result in an application crash. This could be used to mount a denial of service attack against services that use metadata-extractor library.
Severity CVSS v4.0: Pending analysis
Last modification:
05/09/2025

CVE-2022-24614
Publication date:
24/02/2022
When reading a specially crafted JPEG file, metadata-extractor up to 2.16.0 can be made to allocate large amounts of memory that finally leads to an out-of-memory error even for very small inputs. This could be used to mount a denial of service attack against services that use metadata-extractor library.
Severity CVSS v4.0: Pending analysis
Last modification:
12/09/2025

CVE-2022-24620
Publication date:
24/02/2022
Piwigo version 12.2.0 is vulnerable to stored cross-site scripting (XSS), which can lead to privilege escalation. In this way, admin can steal webmaster's cookies to get the webmaster's access.
Severity CVSS v4.0: Pending analysis
Last modification:
02/03/2022

CVE-2022-24633
Publication date:
24/02/2022
All versions of FileCloud prior to 21.3 are vulnerable to user enumeration. The vulnerability exists in the parameter "path" passing "/SHARED/". A malicious actor could identify the existence of users by requesting share information on specified share paths.
Severity CVSS v4.0: Pending analysis
Last modification:
02/03/2022
Subscribe to Vulnerabilities