Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-40287

Publication date:
31/10/2022
<br /> The application was found to be vulnerable to an authenticated Stored Cross-Site Scripting (XSS) vulnerability in messaging functionality, leading to privilege escalation or a compromise of a targeted account.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
06/05/2025

CVE-2022-40288

Publication date:
31/10/2022
<br /> The application was vulnerable to an authenticated Stored Cross-Site Scripting (XSS) in the user profile data fields, which could be leveraged to escalate privileges within and compromise any account that views their user profile.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
06/05/2025

CVE-2022-40291

Publication date:
31/10/2022
<br /> The application was vulnerable to Cross-Site Request Forgery (CSRF) attacks, allowing an attacker to coerce users into sending malicious requests to the site to delete their account, or in rare circumstances, hijack their account and create other admin accounts.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
06/05/2025

CVE-2022-40290

Publication date:
31/10/2022
<br /> The application was vulnerable to an unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability in the barcode generation functionality, allowing attackers to generate an unsafe link that could compromise users.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
06/05/2025

CVE-2022-3783

Publication date:
31/10/2022
A vulnerability, which was classified as problematic, has been found in node-red-dashboard. This issue affects some unknown processing of the file components/ui-component/ui-component-ctrl.js of the component ui_text Format Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The name of the patch is 9305d1a82f19b235dfad24a7d1dd4ed244db7743. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-212555.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-40289

Publication date:
31/10/2022
<br /> The application was vulnerable to an authenticated Stored Cross-Site Scripting (XSS) in the upload and download functionality, which could be leveraged to escalate privileges or compromise any accounts they can coerce into observing the targeted files.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
06/05/2025

CVE-2022-3784

Publication date:
31/10/2022
A vulnerability classified as critical was found in Axiomatic Bento4 5e7bb34. Affected by this vulnerability is the function AP4_Mp4AudioDsiParser::ReadBits of the file Ap4Mp4AudioInfo.cpp of the component mp4hls. The manipulation leads to heap-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-212563.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-3785

Publication date:
31/10/2022
A vulnerability, which was classified as critical, has been found in Axiomatic Bento4. Affected by this issue is the function AP4_DataBuffer::SetDataSize of the component Avcinfo. The manipulation leads to heap-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-212564.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-3059

Publication date:
31/10/2022
<br /> The application was vulnerable to multiple instances of SQL injection (authenticated and unauthenticated) through a vulnerable parameter. Due to the stacked query support, complex SQL commands could be crafted and injected into the vulnerable parameter and using a sleep based inferential SQL injection it was possible to extract data from the database.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
25/10/2023

CVE-2022-39019

Publication date:
31/10/2022
<br /> Broken access controls on PDFtron WebviewerUI in M-Files Hubshare before 3.3.11.3 allows unauthenticated attackers to upload malicious files to the application server.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
25/10/2023

CVE-2022-39016

Publication date:
31/10/2022
<br /> Javascript injection in PDFtron in M-Files Hubshare before 3.3.10.9 allows authenticated attackers to perform an account takeover via a crafted PDF upload.
Severity CVSS v4.0: Pending analysis
Last modification:
25/10/2023

CVE-2020-23255

Publication date:
31/10/2022
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023