Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2015-6576
Publication date:
03/10/2017
Bamboo 2.2 before 5.8.5 and 5.9.x before 5.9.7 allows remote attackers with access to the Bamboo web interface to execute arbitrary Java code via an unspecified resource.
Severity CVSS v4.0: Pending analysis
Last modification:
13/05/2026

CVE-2017-11321
Publication date:
03/10/2017
The restricted shell interface in UCOPIA Wireless Appliance before 5.1.8 allows remote authenticated users to gain 'admin' privileges via shell metacharacters in the less command.
Severity CVSS v4.0: Pending analysis
Last modification:
13/05/2026

CVE-2015-7358
Publication date:
03/10/2017
The IsDriveLetterAvailable method in Driver/Ntdriver.c in TrueCrypt 7.0, VeraCrypt before 1.15, and CipherShed, when running on Windows, does not properly validate drive letter symbolic links, which allows local users to mount an encrypted volume over an existing drive letter and gain privileges via an entry in the /GLOBAL?? directory.
Severity CVSS v4.0: Pending analysis
Last modification:
13/05/2026

CVE-2015-7359
Publication date:
03/10/2017
The (1) IsVolumeAccessibleByCurrentUser and (2) MountDevice methods in Ntdriver.c in TrueCrypt 7.0, VeraCrypt before 1.15, and CipherShed, when running on Windows, do not check the impersonation level of impersonation tokens, which allows local users to impersonate a user at SecurityIdentify level and gain access to other users' mounted encrypted volumes.
Severity CVSS v4.0: Pending analysis
Last modification:
13/05/2026

CVE-2014-0043
Publication date:
03/10/2017
In Apache Wicket 1.5.10 or 6.13.0, by issuing requests to special urls handled by Wicket, it is possible to check for the existence of particular classes in the classpath and thus check whether a third party library with a known security vulnerability is in use.
Severity CVSS v4.0: Pending analysis
Last modification:
13/05/2026

CVE-2016-6806
Publication date:
03/10/2017
Apache Wicket 6.x before 6.25.0, 7.x before 7.5.0, and 8.0.0-M1 provide a CSRF prevention measure that fails to discover some cross origin requests. The mitigation is to not only check the Origin HTTP header, but also take the Referer HTTP header into account when no Origin was provided. Furthermore, not all Wicket server side targets were subjected to the CSRF check. This was also fixed.
Severity CVSS v4.0: Pending analysis
Last modification:
13/05/2026

CVE-2017-14941
Publication date:
02/10/2017
Jaspersoft JasperReports 4.7 suffers from a saved credential disclosure vulnerability, which allows a remote authenticated user to retrieve stored Data Source passwords by accessing flow.html and reading the HTML source code of the page reached in an Edit action for a Data Source connector.
Severity CVSS v4.0: Pending analysis
Last modification:
13/05/2026

CVE-2017-14954
Publication date:
02/10/2017
The waitid implementation in kernel/exit.c in the Linux kernel through 4.13.4 accesses rusage data structures in unintended cases, which allows local users to obtain sensitive information, and bypass the KASLR protection mechanism, via a crafted system call.
Severity CVSS v4.0: Pending analysis
Last modification:
13/05/2026

CVE-2017-14957
Publication date:
02/10/2017
Stored XSS vulnerability via a comment in inc/conv.php in BlogoText before 3.7.6 allows an unauthenticated attacker to inject JavaScript. If the victim is an administrator, an attacker can (for example) change global settings or create/delete posts. It is also possible to execute JavaScript against unauthenticated users of the blog.
Severity CVSS v4.0: Pending analysis
Last modification:
13/05/2026

CVE-2017-14958
Publication date:
02/10/2017
lib.php in PivotX 2.3.11 does not properly block uploads of dangerous file types by admin users, which allows remote PHP code execution via an upload of a .php file.
Severity CVSS v4.0: Pending analysis
Last modification:
13/05/2026

CVE-2017-14975
Publication date:
02/10/2017
The FoFiType1C::convertToType0 function in FoFiType1C.cc in Poppler 0.59.0 has a NULL pointer dereference vulnerability because a data structure is not initialized, which allows an attacker to launch a denial of service attack.
Severity CVSS v4.0: Pending analysis
Last modification:
13/05/2026

CVE-2017-14976
Publication date:
02/10/2017
The FoFiType1C::convertToType0 function in FoFiType1C.cc in Poppler 0.59.0 has a heap-based buffer over-read vulnerability if an out-of-bounds font dictionary index is encountered, which allows an attacker to launch a denial of service attack.
Severity CVSS v4.0: Pending analysis
Last modification:
13/05/2026
Subscribe to Vulnerabilities