Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-4022
Publication date:
16/11/2022
The SVG Support plugin for WordPress defaults to insecure settings in version 2.5 and 2.5.1. SVG files containing malicious javascript are not sanitized. While version 2.5 adds the ability to sanitize image as they are uploaded, the plugin defaults to disable sanitization and does not restrict SVG upload to only administrators. This allows authenticated attackers, with author-level privileges and higher, to upload malicious SVG files that can be embedded in posts and pages by higher privileged users. Additionally, the embedded JavaScript is also triggered on visiting the image URL, which allows an attacker to execute malicious code in browsers visiting that URL.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-4021
Publication date:
16/11/2022
The Permalink Manager Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.2.20.1. This is due to missing or incorrect nonce validation on the extra_actions function. This makes it possible for unauthenticated attackers to change plugin settings including permalinks and site maps, via forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-4018
Publication date:
16/11/2022
Missing Authentication for Critical Function in GitHub repository ikus060/rdiffweb prior to 2.5.0a6.
Severity CVSS v4.0: Pending analysis
Last modification:
18/11/2022

CVE-2022-3980
Publication date:
16/11/2022
An XML External Entity (XEE) vulnerability allows server-side request forgery (SSRF) and potential code execution in Sophos Mobile managed on-premises between versions 5.0.0 and 9.7.4.
Severity CVSS v4.0: Pending analysis
Last modification:
29/04/2025

CVE-2022-24036
Publication date:
16/11/2022
Karmasis Informatics Infraskope SIEM+ has an unauthenticated access vulnerability which could allow an unauthenticated attacker to modificate logs.
Severity CVSS v4.0: Pending analysis
Last modification:
17/09/2024

CVE-2022-45047
Publication date:
16/11/2022
Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD
Severity CVSS v4.0: Pending analysis
Last modification:
16/02/2024

CVE-2022-4015
Publication date:
16/11/2022
A vulnerability, which was classified as critical, was found in Sports Club Management System 119. This affects an unknown part of the file admin/make_payments.php. The manipulation of the argument m_id/plan leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-213789 was assigned to this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
28/12/2023

CVE-2022-4014
Publication date:
16/11/2022
A vulnerability, which was classified as problematic, has been found in FeehiCMS. Affected by this issue is some unknown functionality of the component Post My Comment Tab. The manipulation leads to cross-site request forgery. The attack may be launched remotely. The identifier of this vulnerability is VDB-213788.
Severity CVSS v4.0: Pending analysis
Last modification:
28/12/2023

CVE-2022-4013
Publication date:
16/11/2022
A vulnerability classified as problematic was found in Hospital Management Center. Affected by this vulnerability is an unknown functionality of the file appointment.php. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-213787.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-4012
Publication date:
16/11/2022
A vulnerability classified as critical has been found in Hospital Management Center. Affected is an unknown function of the file patient-info.php. The manipulation of the argument pt_id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-213786 is the identifier assigned to this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-4011
Publication date:
16/11/2022
A vulnerability was found in Simple History Plugin. It has been rated as critical. This issue affects some unknown processing of the component Header Handler. The manipulation of the argument X-Forwarded-For leads to improper output neutralization for logs. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-213785 was assigned to this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-2166
Publication date:
16/11/2022
Improper Restriction of Excessive Authentication Attempts in GitHub repository mastodon/mastodon prior to 4.0.0.
Severity CVSS v4.0: Pending analysis
Last modification:
17/11/2022
Subscribe to Vulnerabilities