Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-27378

Publication date:
18/02/2021
An issue was discovered in the rand_core crate before 0.6.2 for Rust. Because read_u32_into and read_u64_into mishandle certain buffer-length checks, a random number generator may be seeded with too little data.
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2022

CVE-2021-27375

Publication date:
18/02/2021
Traefik before 2.4.5 allows the loading of IFRAME elements from other domains.
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2022

CVE-2020-9306

Publication date:
18/02/2021
Tesla SolarCity Solar Monitoring Gateway through 5.46.43 has a "Use of Hard-coded Credentials" issue because Digi ConnectPort X2e uses a .pyc file to store the cleartext password for the python user account.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-12878

Publication date:
18/02/2021
Digi ConnectPort X2e before 3.2.30.6 allows an attacker to escalate privileges from the python user to root via a symlink attack that uses chown, related to /etc/init.d/S50dropbear.sh and the /WEB/python/.ssh directory.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2021-27097

Publication date:
17/02/2021
The boot loader in Das U-Boot before 2021.04-rc2 mishandles a modified FIT.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2021-27138

Publication date:
17/02/2021
The boot loader in Das U-Boot before 2021.04-rc2 mishandles use of unit addresses in a FIT.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2020-8625

Publication date:
17/02/2021
BIND servers are vulnerable if they are running an affected version and are configured to use GSS-TSIG features. In a configuration which uses BIND's default settings the vulnerable code path is not exposed, but a server can be rendered vulnerable by explicitly setting valid values for the tkey-gssapi-keytab or tkey-gssapi-credentialconfiguration options. Although the default configuration is not vulnerable, GSS-TSIG is frequently used in networks where BIND is integrated with Samba, as well as in mixed-server environments that combine BIND servers with Active Directory domain controllers. The most likely outcome of a successful exploitation of the vulnerability is a crash of the named process. However, remote code execution, while unproven, is theoretically possible. Affects: BIND 9.5.0 -> 9.11.27, 9.12.0 -> 9.16.11, and versions BIND 9.11.3-S1 -> 9.11.27-S1 and 9.16.8-S1 -> 9.16.11-S1 of BIND Supported Preview Edition. Also release versions 9.17.0 -> 9.17.1 of the BIND 9.17 development branch
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-27374

Publication date:
17/02/2021
VertiGIS WebOffice 10.7 SP1 before patch20210202 and 10.8 SP1 before patch20210207 allows attackers to achieve "Zugriff auf Inhalte der WebOffice Applikation."
Severity CVSS v4.0: Pending analysis
Last modification:
25/02/2021

CVE-2020-36245

Publication date:
17/02/2021
GramAddict through 1.2.3 allows remote attackers to execute arbitrary code because of use of UIAutomator2 and ATX-Agent. The attacker must be able to reach TCP port 7912, e.g., by being on the same Wi-Fi network.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2021-26720

Publication date:
17/02/2021
avahi-daemon-check-dns.sh in the Debian avahi package through 0.8-4 is executed as root via /etc/network/if-up.d/avahi-daemon, and allows a local attacker to cause a denial of service or create arbitrary empty files via a symlink attack on files under /run/avahi-daemon. NOTE: this only affects the packaging for Debian GNU/Linux (used indirectly by SUSE), not the upstream Avahi product.
Severity CVSS v4.0: Pending analysis
Last modification:
06/12/2022

CVE-2021-27367

Publication date:
17/02/2021
Controller/Backend/FileEditController.php and Controller/Backend/FilemanagerController.php in Bolt before 4.1.13 allow Directory Traversal.
Severity CVSS v4.0: Pending analysis
Last modification:
23/02/2021

CVE-2021-3396

Publication date:
17/02/2021
OpenNMS Meridian 2016, 2017, 2018 before 2018.1.25, 2019 before 2019.1.16, and 2020 before 2020.1.5, Horizon 1.2 through 27.0.4, and Newts
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2022