Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-44299

Publication date:

19/01/2022

A reflected cross-site scripting (XSS) vulnerability in \lib\packages\themes\themes.php of Navigate CMS v2.9.4 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload.

Severity CVSS v4.0: Pending analysis

Last modification:

25/01/2022

CVE-2021-46203

Publication date:

19/01/2022

Taocms v3.0.2 was discovered to contain an arbitrary file read vulnerability via the path parameter.

Severity CVSS v4.0: Pending analysis

Last modification:

25/01/2022

CVE-2022-23221

Publication date:

19/01/2022

H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.

Severity CVSS v4.0: Pending analysis

Last modification:

05/05/2025

CVE-2022-22310

Publication date:

19/01/2022

IBM WebSphere Application Server Liberty 21.0.0.10 through 21.0.0.12 could provide weaker than expected security. A remote attacker could exploit this weakness to obtain sensitive information and gain unauthorized access to JAX-WS applications. IBM X-Force ID: 217224.

Severity CVSS v4.0: Pending analysis

Last modification:

08/08/2023

CVE-2021-38788

Publication date:

19/01/2022

The Background service in Allwinner R818 SoC Android Q SDK V1.0 is used to manage background applications. Malicious apps can use the interface provided by the service to set the number of applications allowed to run in the background to 0 and add themselves to the whitelist, so that once other applications enter the background, they will be forcibly stopped by the system, causing a denial of service.

Severity CVSS v4.0: Pending analysis

Last modification:

12/07/2022

CVE-2021-46030

Publication date:

19/01/2022

There is a Cross Site Scripting attack (XSS) vulnerability in JavaQuarkBBS

Severity CVSS v4.0: Pending analysis

Last modification:

25/01/2022

CVE-2021-44837

Publication date:

19/01/2022

An issue was discovered in Delta RM 1.2. It is possible for an unprivileged user to access the same information as an admin user regarding the risk creation information in the /risque/administration/referentiel/json/create/categorie endpoint, using the id_cat1 query parameter to indicate the risk.

Severity CVSS v4.0: Pending analysis

Last modification:

08/08/2023

CVE-2021-38787

Publication date:

19/01/2022

There is an integer overflow in the ION driver "/dev/ion" of Allwinner R818 SoC Android Q SDK V1.0 that could use the ioctl cmd "COMPAT_ION_IOC_SUNXI_FLUSH_RANGE" to cause a system crash (denial of service).

Severity CVSS v4.0: Pending analysis

Last modification:

26/01/2022

CVE-2021-46104

Publication date:

19/01/2022

An issue was discovered in webp_server_go 0.4.0. There is a directory traversal vulnerability that can read arbitrary file information on the server.

Severity CVSS v4.0: Pending analysis

Last modification:

25/01/2022

CVE-2021-45808

Publication date:

19/01/2022

jpress v4.2.0 allows users to register an account by default. With the account, user can upload arbitrary files to the server.

Severity CVSS v4.0: Pending analysis

Last modification:

25/01/2022

CVE-2022-21395

Publication date:

19/01/2022

Severity CVSS v4.0: Pending analysis

Last modification:

25/01/2022

CVE-2022-21398

Publication date:

19/01/2022

Vulnerability in the Oracle Communications Operations Monitor product of Oracle Communications (component: Mediation Engine). Supported versions that are affected are 3.4, 4.2, 4.3, 4.4 and 5.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Communications Operations Monitor. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Communications Operations Monitor, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Communications Operations Monitor accessible data as well as unauthorized read access to a subset of Oracle Communications Operations Monitor accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).

Severity CVSS v4.0: Pending analysis

Last modification:

25/01/2022

Subscribe to Vulnerabilities