Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2007-2384

Publication date:

30/04/2007

The Script.aculo.us framework exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking."

Severity CVSS v4.0: Pending analysis

Last modification:

23/04/2026

CVE-2007-2385

Publication date:

30/04/2007

The Yahoo! UI framework exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking."

Severity CVSS v4.0: Pending analysis

Last modification:

23/04/2026

CVE-2007-2383

Publication date:

30/04/2007

The Prototype (prototypejs) framework before 1.5.1 RC3 exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking."

Severity CVSS v4.0: Pending analysis

Last modification:

23/04/2026

CVE-2006-4520

Publication date:

30/04/2007

ncp in Novell eDirectory before 8.7.3 SP9, and 8.8.x before 8.8.1 FTF2, does not properly handle NCP fragments with a negative length, which allows remote attackers to cause a denial of service (daemon crash) when the heap is written to a log file.

Severity CVSS v4.0: Pending analysis

Last modification:

23/04/2026

CVE-2006-7198

Publication date:

30/04/2007

Unspecified vulnerability in IBM WebSphere Application Server (WAS) before 5.1.1.14, and WAS for z/OS 601 before 6.0.2.13, has unknown impact and attack vectors, related to a "Potential security exposure," aka PK26123.

Severity CVSS v4.0: Pending analysis

Last modification:

23/04/2026

CVE-2007-2349

Publication date:

30/04/2007

Cross-site scripting (XSS) vulnerability in Invision Power Board (IP.Board) 2.1.x and 2.2.x allows remote attackers to inject arbitrary web script or HTML by uploading crafted images or PDF files.

Severity CVSS v4.0: Pending analysis

Last modification:

23/04/2026

CVE-2007-2350

Publication date:

30/04/2007

admin/config.php in the music-on-hold module in freePBX 2.2.x allows remote authenticated administrators to execute arbitrary commands via shell metacharacters in the del parameter.

Severity CVSS v4.0: Pending analysis

Last modification:

23/04/2026

CVE-2007-2351

Publication date:

30/04/2007

Unspecified vulnerability in the HP Power Manager Remote Agent (RA) 4.0Build10 and earlier in HP-UX B.11.11 and B.11.23 allows local users to execute arbitrary code via unspecified vectors.

Severity CVSS v4.0: Pending analysis

Last modification:

23/04/2026

CVE-2007-2352

Publication date:

30/04/2007

Multiple format string vulnerabilities in AFFLIB 2.2.6 allow remote attackers to execute arbitrary code via certain command line parameters, which are used in (1) warn and (2) err calls, possibly involving (a) lib/s3.cpp, (b) tools/afconvert.cpp, (c) tools/afcopy.cpp, (d) tools/afinfo.cpp, (e) aimage/imager.cpp, and (f) tools/afxml.cpp. NOTE: this identifier is intended to address the vectors that were not fixed in CVE-2007-2054, but the unfixed vectors were not explicitly listed.

Severity CVSS v4.0: Pending analysis

Last modification:

23/04/2026

CVE-2007-2353

Publication date:

30/04/2007

Apache Axis 1.0 allows remote attackers to obtain sensitive information by requesting a non-existent WSDL file, which reveals the installation path in the resulting exception message.

Severity CVSS v4.0: Pending analysis

Last modification:

23/04/2026

CVE-2007-2354

Publication date:

30/04/2007

Progress Webspeed Messenger allows remote attackers to obtain sensitive information via a WService parameter containing "wsbroker1/webutil/about.r", which reveals the operating system and product information.

Severity CVSS v4.0: Pending analysis

Last modification:

23/04/2026

CVE-2007-2355

Publication date:

30/04/2007

The get_url function in DODS_Dispatch.pm for the CGI_server in OPeNDAP 3 allows remote attackers to execute arbitrary commands via shell metacharacters in a URL.

Severity CVSS v4.0: Pending analysis

Last modification:

23/04/2026

Subscribe to Vulnerabilities