Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-24512
Publication date:
16/08/2021
The Video Posts Webcam Recorder WordPress plugin before 3.2.4 has an authenticated reflected cross site scripting (XSS) vulnerability in one of the administrative functions for handling deletion of videos.
Severity CVSS v4.0: Pending analysis
Last modification:
23/08/2021

CVE-2021-24410
Publication date:
16/08/2021
The తెలుగు బైబిల్ వచనములు WordPress plugin through 1.0 is lacking any CSRF check when saving its settings and verses, and do not sanitise or escape them when outputting them back in the page. This could allow attackers to make a logged in admin change the settings, as well as add malicious verses containing JavaScript code in them, leading to Stored XSS issues
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-24362
Publication date:
16/08/2021
The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin before 1.5.75 did not ensure that uploaded SVG files added to a gallery do not contain malicious content. As a result, users allowed to add images to gallery can upload an SVG file containing JavaScript code, which will be executed when accessing the image directly (ie in the /wp-content/uploads/photo-gallery/ folder), leading to a Cross-Site Scripting (XSS) issue
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-33193
Publication date:
16/08/2021
A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48.
Severity CVSS v4.0: Pending analysis
Last modification:
01/05/2025

CVE-2021-23422
Publication date:
16/08/2021
This affects the package bikeshed before 3.0.0. This can occur when an untrusted source file containing Inline Tag Command metadata is processed. When an arbitrary OS command is executed, the command output would be included in the HTML output.
Severity CVSS v4.0: Pending analysis
Last modification:
23/08/2021

CVE-2021-23423
Publication date:
16/08/2021
This affects the package bikeshed before 3.0.0. This can occur when an untrusted source file containing include, include-code or include-raw block is processed. The contents of arbitrary files could be disclosed in the HTML output.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2021

CVE-2021-35936
Publication date:
16/08/2021
If remote logging is not used, the worker (in the case of CeleryExecutor) or the scheduler (in the case of LocalExecutor) runs a Flask logging server and is listening on a specific port and also binds on 0.0.0.0 by default. This logging server had no authentication and allows reading log files of DAG jobs. This issue affects Apache Airflow
Severity CVSS v4.0: Pending analysis
Last modification:
07/10/2022

CVE-2021-3708
Publication date:
16/08/2021
D-Link router DSL-2750U with firmware vME1.16 or prior versions is vulnerable to OS command injection. An unauthenticated attacker on the local network may exploit this, with CVE-2021-3707, to execute any OS commands on the vulnerable device.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-3707
Publication date:
16/08/2021
D-Link router DSL-2750U with firmware vME1.16 or prior versions is vulnerable to unauthorized configuration modification. An unauthenticated attacker on the local network may exploit this, with CVE-2021-3708, to execute any OS commands on the vulnerable device.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-38713
Publication date:
16/08/2021
imgURL 2.31 allows XSS via an X-Forwarded-For HTTP header.
Severity CVSS v4.0: Pending analysis
Last modification:
23/08/2021

CVE-2021-38711
Publication date:
16/08/2021
In gitit before 0.15.0.0, the Export feature can be exploited to leak information from files.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2021

CVE-2021-38712
Publication date:
16/08/2021
OneNav 0.9.12 allows Information Disclosure of the onenav.db3 contents. NOTE: the vendor's recommended solution is to block the access via an NGINX configuration file.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2021
Subscribe to Vulnerabilities