Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-24787
Publication date:
04/04/2022
Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. In version 0.3.1 and prior, bytestrings can have dirty bytes in them, resulting in the word-for-word comparisons giving incorrect results. Even without dirty nonzero bytes, two bytestrings can compare to equal if one ends with `"\x00"` because there is no comparison of the length. A patch is available and expected to be part of the 0.3.2 release. There are currently no known workarounds.
Severity CVSS v4.0: Pending analysis
Last modification:
02/08/2023

CVE-2020-28062
Publication date:
04/04/2022
An Access Control vulnerability exists in HisiPHP 2.0.11 via special packets that are constructed in $files = Dir::getList($decompath. '/ Upload/Plugins /, which could let a remote malicious user execute arbitrary code.
Severity CVSS v4.0: Pending analysis
Last modification:
12/04/2022

CVE-2022-24785
Publication date:
04/04/2022
Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2022-1170
Publication date:
04/04/2022
In the Noo JobMonster WordPress theme before 4.5.2.9 JobMonster there is a XSS vulnerability as the input for the search form is provided through unsanitized GET requests.
Severity CVSS v4.0: Pending analysis
Last modification:
11/04/2022

CVE-2022-1169
Publication date:
04/04/2022
There is a XSS vulnerability in Careerfy.
Severity CVSS v4.0: Pending analysis
Last modification:
11/04/2022

CVE-2022-1168
Publication date:
04/04/2022
There is a Cross-Site Scripting vulnerability in the JobSearch WP JobSearch WordPress plugin before 1.5.1.
Severity CVSS v4.0: Pending analysis
Last modification:
11/04/2022

CVE-2022-1167
Publication date:
04/04/2022
There are unauthenticated reflected Cross-Site Scripting (XSS) vulnerabilities in CareerUp Careerup WordPress theme before 2.3.1, via the filter parameters.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-0887
Publication date:
04/04/2022
The Easy Social Icons WordPress plugin before 3.1.4 does not sanitize the selected_icons attribute to the cnss_widget before using it in an SQL statement, leading to a SQL injection vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
11/04/2022

CVE-2022-0901
Publication date:
04/04/2022
The Ad Inserter Free and Pro WordPress plugins before 2.7.12 do not sanitise and escape the REQUEST_URI before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting in browsers which do not encode characters
Severity CVSS v4.0: Pending analysis
Last modification:
11/04/2022

CVE-2022-0958
Publication date:
04/04/2022
The Mark Posts WordPress plugin before 2.0.1 does not escape new markers, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
Severity CVSS v4.0: Pending analysis
Last modification:
11/04/2022

CVE-2022-1165
Publication date:
04/04/2022
The Blackhole for Bad Bots WordPress plugin before 3.3.2 uses headers such as CF-CONNECTING-IP, CLIENT-IP etc to determine the IP address of requests hitting the blackhole URL, which allows them to be spoofed. This could result in blocking arbitrary IP addresses, such as legitimate/good search engine crawlers / bots. This could also be abused by competitors to cause damage related to visibility in search engines, can be used to bypass arbitrary blocks caused by this plugin, block any visitor or even the administrator and even more.
Severity CVSS v4.0: Pending analysis
Last modification:
12/04/2022

CVE-2022-1164
Publication date:
04/04/2022
The Wyzi Theme was affected by reflected XSS vulnerabilities in the business search feature
Severity CVSS v4.0: Pending analysis
Last modification:
11/04/2022
Subscribe to Vulnerabilities