Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-40881
Publication date:
17/11/2022
SolarView Compact 6.00 was discovered to contain a command injection vulnerability via network_test.php
Severity CVSS v4.0: Pending analysis
Last modification:
29/04/2025

CVE-2022-42187
Publication date:
17/11/2022
Hustoj 22.09.22 has a XSS Vulnerability in /admin/problem_judge.php.
Severity CVSS v4.0: Pending analysis
Last modification:
29/04/2025

CVE-2022-43781
Publication date:
17/11/2022
There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An attacker with permission to control their username can exploit this issue to execute arbitrary code on the system. This vulnerability can be unauthenticated if the Bitbucket Server and Data Center instance has enabled “Allow public signup”.
Severity CVSS v4.0: Pending analysis
Last modification:
02/10/2024

CVE-2022-43782
Publication date:
17/11/2022
Affected versions of Atlassian Crowd allow an attacker to authenticate as the crowd application via security misconfiguration and subsequent ability to call privileged endpoints in Crowd&amp;#39;s REST API under the {{usermanagement}} path.<br /> <br /> This vulnerability can only be exploited by IPs specified under the crowd application allowlist in the Remote Addresses configuration, which is {{none}} by default.<br /> <br /> The affected versions are all versions 3.x.x, versions 4.x.x before version 4.4.4, and versions 5.x.x before 5.0.3
Severity CVSS v4.0: Pending analysis
Last modification:
02/10/2024

CVE-2022-42960
Publication date:
17/11/2022
EqualWeb Accessibility Widget 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.1.10, 3.0.0, 3.0.1, 3.0.2, 4.0.0, and 4.0.1 allows DOM XSS due to improper validation of message events to accessibility.js.
Severity CVSS v4.0: Pending analysis
Last modification:
30/04/2025

CVE-2021-38819
Publication date:
17/11/2022
A SQL injection vulnerability exits on the Simple Image Gallery System 1.0 application through "id" parameter on the album page.
Severity CVSS v4.0: Pending analysis
Last modification:
30/04/2025

CVE-2022-44003
Publication date:
16/11/2022
An issue was discovered in BACKCLICK Professional 5.9.63. Due to insufficient escaping of user-supplied input, the application is vulnerable to SQL injection at various locations.
Severity CVSS v4.0: Pending analysis
Last modification:
30/04/2025

CVE-2022-44004
Publication date:
16/11/2022
An issue was discovered in BACKCLICK Professional 5.9.63. Due to insecure design or lack of authentication, unauthenticated attackers can complete the password-reset process for any account and set a new password.
Severity CVSS v4.0: Pending analysis
Last modification:
30/04/2025

CVE-2022-44005
Publication date:
16/11/2022
An issue was discovered in BACKCLICK Professional 5.9.63. Due to the use of consecutive IDs in verification links, the newsletter sign-up functionality is vulnerable to the enumeration of subscribers&amp;#39; e-mail addresses. Furthermore, it is possible to subscribe and verify other persons&amp;#39; e-mail addresses to newsletters without their consent.
Severity CVSS v4.0: Pending analysis
Last modification:
30/04/2025

CVE-2022-44006
Publication date:
16/11/2022
An issue was discovered in BACKCLICK Professional 5.9.63. Due to improper validation or sanitization of upload filenames, an externally reachable, unauthenticated update function permits writing files outside the intended target location. Achieving remote code execution is possible, e.g., by uploading an executable file.
Severity CVSS v4.0: Pending analysis
Last modification:
30/04/2025

CVE-2022-44000
Publication date:
16/11/2022
An issue was discovered in BACKCLICK Professional 5.9.63. Due to an exposed internal communications interface, it is possible to execute arbitrary system commands on the server.
Severity CVSS v4.0: Pending analysis
Last modification:
30/04/2025

CVE-2022-44002
Publication date:
16/11/2022
An issue was discovered in BACKCLICK Professional 5.9.63. Due to insufficient output encoding of user-supplied data, the web application is vulnerable to cross-site scripting (XSS) at various locations.
Severity CVSS v4.0: Pending analysis
Last modification:
30/04/2025
Subscribe to Vulnerabilities