Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-31186
Publication date:
11/05/2021
Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability
Severity CVSS v4.0: Pending analysis
Last modification:
02/08/2023

CVE-2021-27068
Publication date:
11/05/2021
Visual Studio Remote Code Execution Vulnerability
Severity CVSS v4.0: Pending analysis
Last modification:
29/12/2023

CVE-2020-18964
Publication date:
11/05/2021
Cross Site Request Forgery (CSRF) Vulnerability in ForestBlog latest version via the website Management background, which could let a remote malicious gain privileges.
Severity CVSS v4.0: Pending analysis
Last modification:
19/05/2021

CVE-2021-28455
Publication date:
11/05/2021
Microsoft Jet Red Database Engine and Access Connectivity Engine Remote Code Execution Vulnerability
Severity CVSS v4.0: Pending analysis
Last modification:
29/12/2023

CVE-2021-26418
Publication date:
11/05/2021
Microsoft SharePoint Server Spoofing Vulnerability
Severity CVSS v4.0: Pending analysis
Last modification:
28/02/2025

CVE-2021-26419
Publication date:
11/05/2021
Scripting Engine Memory Corruption Vulnerability
Severity CVSS v4.0: Pending analysis
Last modification:
16/04/2024

CVE-2021-26421
Publication date:
11/05/2021
Skype for Business and Lync Spoofing Vulnerability
Severity CVSS v4.0: Pending analysis
Last modification:
02/08/2023

CVE-2021-26422
Publication date:
11/05/2021
Skype for Business and Lync Remote Code Execution Vulnerability
Severity CVSS v4.0: Pending analysis
Last modification:
02/08/2023

CVE-2021-32573
Publication date:
11/05/2021
The express-cart package through 1.1.10 for Node.js allows Reflected XSS (for an admin) via a user input field for product options. NOTE: the vendor states that this "would rely on an admin hacking his/her own website.
Severity CVSS v4.0: Pending analysis
Last modification:
04/08/2024

CVE-2021-29508
Publication date:
11/05/2021
Due to how Wire handles type information in its serialization format, malicious payloads can be passed to a deserializer. e.g. using a surrogate on the sender end, an attacker can pass information about a different type for the receiving end. And by doing so allowing the serializer to create any type on the deserializing end. This is the same issue that exists for .NET BinaryFormatter https://docs.microsoft.com/en-us/visualstudio/code-quality/ca2300?view=vs-2019. This also applies to the fork of Wire.
Severity CVSS v4.0: Pending analysis
Last modification:
25/05/2021

CVE-2021-29509
Publication date:
11/05/2021
Puma is a concurrent HTTP 1.1 server for Ruby/Rack applications. The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster. A `puma` server which received more concurrent `keep-alive` connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections. This problem has been fixed in `puma` 4.3.8 and 5.3.1. Setting `queue_requests false` also fixes the issue. This is not advised when using `puma` without a reverse proxy, such as `nginx` or `apache`, because you will open yourself to slow client attacks (e.g. slowloris). The fix is very small and a git patch is available for those using unsupported versions of Puma.
Severity CVSS v4.0: Pending analysis
Last modification:
27/10/2022

CVE-2020-4535
Publication date:
11/05/2021
IBM OpenPages GRC Platform 8.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 182906.
Severity CVSS v4.0: Pending analysis
Last modification:
14/05/2021
Subscribe to Vulnerabilities