Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-35662
Publication date:
27/02/2021
In SaltStack Salt before 3002.5, when authenticating to services using certain modules, the SSL certificate is not always validated.
Severity CVSS v4.0: Pending analysis
Last modification:
15/10/2024

CVE-2021-25283
Publication date:
27/02/2021
An issue was discovered in through SaltStack Salt before 3002.5. The jinja renderer does not protect against server side template injection attacks.
Severity CVSS v4.0: Pending analysis
Last modification:
21/12/2023

CVE-2021-25281
Publication date:
27/02/2021
An issue was discovered in through SaltStack Salt before 3002.5. salt-api does not honor eauth credentials for the wheel_async client. Thus, an attacker can remotely run any wheel modules on the master.
Severity CVSS v4.0: Pending analysis
Last modification:
21/12/2023

CVE-2020-36079
Publication date:
26/02/2021
Zenphoto through 1.5.7 is affected by authenticated arbitrary file upload, leading to remote code execution. The attacker must navigate to the uploader plugin, check the elFinder box, and then drag and drop files into the Files(elFinder) portion of the UI. This can, for example, place a .php file in the server's uploaded/ directory. NOTE: the vendor disputes this because exploitation can only be performed by an admin who has "lots of other possibilities to harm a site.
Severity CVSS v4.0: Pending analysis
Last modification:
04/08/2024

CVE-2021-27198
Publication date:
26/02/2021
An issue was discovered in Visualware MyConnection Server before v11.1a. Unauthenticated Remote Code Execution can occur via Arbitrary File Upload in the web service when using a myspeed/sf?filename= URI. This application is written in Java and is thus cross-platform. The Windows installation runs as SYSTEM, which means that exploitation gives one Administrator privileges on the target system.
Severity CVSS v4.0: Pending analysis
Last modification:
14/09/2021

CVE-2020-27618
Publication date:
26/02/2021
The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid multi-byte input sequences in IBM1364, IBM1371, IBM1388, IBM1390, and IBM1399 encodings, fails to advance the input state, which could lead to an infinite loop in applications, resulting in a denial of service, a different vulnerability from CVE-2016-10228.
Severity CVSS v4.0: Pending analysis
Last modification:
09/06/2025

CVE-2021-27803
Publication date:
26/02/2021
A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range.
Severity CVSS v4.0: Pending analysis
Last modification:
18/12/2025

CVE-2021-27799
Publication date:
26/02/2021
ean_leading_zeroes in backend/upcean.c in Zint Barcode Generator 2.9.1 has a stack-based buffer overflow that is reachable from the C API through an application that includes the Zint Barcode Generator library code.
Severity CVSS v4.0: Pending analysis
Last modification:
10/03/2021

CVE-2021-26565
Publication date:
26/02/2021
Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to obtain sensitive information via an HTTP session.
Severity CVSS v4.0: Pending analysis
Last modification:
14/01/2025

CVE-2021-26564
Publication date:
26/02/2021
Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP session.
Severity CVSS v4.0: Pending analysis
Last modification:
14/01/2025

CVE-2021-26563
Publication date:
26/02/2021
Incorrect authorization vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows local users to execute arbitrary code via unspecified vectors.
Severity CVSS v4.0: Pending analysis
Last modification:
14/01/2025

CVE-2021-26562
Publication date:
26/02/2021
Out-of-bounds write vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno_finder_site HTTP header.
Severity CVSS v4.0: Pending analysis
Last modification:
14/01/2025
Subscribe to Vulnerabilities