Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2009-4532

Publication date:
31/12/2009
Cross-site scripting (XSS) vulnerability in the Webform module 5.x before 5.x-2.8 and 6.x before 6.x-2.8, a module for Drupal, allows remote authenticated users, with webform creation privileges, to inject arbitrary web script or HTML via a field label.
Severity CVSS v4.0: Pending analysis
Last modification:
09/04/2025

CVE-2009-4533

Publication date:
31/12/2009
The Webform module 5.x before 5.x-2.8 and 6.x before 6.x-2.8, a module for Drupal, does not prevent caching of a page that contains token placeholders for a default value, which allows remote attackers to read session variables via unspecified vectors.
Severity CVSS v4.0: Pending analysis
Last modification:
09/04/2025

CVE-2009-4529

Publication date:
31/12/2009
InterVations NaviCOPA Web Server 3.0.1.2 and earlier allows remote attackers to obtain the source code for a web page via a trailing encoded space character in a URI, as demonstrated by /index.html%20 and /index.php%20 URIs.
Severity CVSS v4.0: Pending analysis
Last modification:
09/04/2025

CVE-2009-4531

Publication date:
31/12/2009
httpdx 1.4.4 and earlier allows remote attackers to obtain the source code for a web page by appending a . (dot) character to the URI.
Severity CVSS v4.0: Pending analysis
Last modification:
09/04/2025

CVE-2009-4535

Publication date:
31/12/2009
Mongoose 2.8.0 and earlier allows remote attackers to obtain the source code for a web page by appending a / (slash) character to the URI.
Severity CVSS v4.0: Pending analysis
Last modification:
09/04/2025

CVE-2009-4521

Publication date:
31/12/2009
Cross-site scripting (XSS) vulnerability in birt-viewer/run in Eclipse Business Intelligence and Reporting Tools (BIRT) before 2.5.0, as used in KonaKart and other products, allows remote attackers to inject arbitrary web script or HTML via the __report parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
09/04/2025

CVE-2009-4501

Publication date:
31/12/2009
The zbx_get_next_field function in libs/zbxcommon/str.c in Zabbix Server before 1.6.8 allows remote attackers to cause a denial of service (crash) via a request that lacks expected separators, which triggers a NULL pointer dereference, as demonstrated using the Command keyword.
Severity CVSS v4.0: Pending analysis
Last modification:
09/04/2025

CVE-2009-4502

Publication date:
31/12/2009
The NET_TCP_LISTEN function in net.c in Zabbix Agent before 1.6.7, when running on FreeBSD or Solaris, allows remote attackers to bypass the EnableRemoteCommands setting and execute arbitrary commands via shell metacharacters in the argument to net.tcp.listen. NOTE: this attack is limited to attacks from trusted IP addresses.
Severity CVSS v4.0: Pending analysis
Last modification:
09/04/2025

CVE-2009-4500

Publication date:
31/12/2009
The process_trap function in trapper/trapper.c in Zabbix Server before 1.6.6 allows remote attackers to cause a denial of service (crash) via a crafted request with data that lacks an expected : (colon) separator, which triggers a NULL pointer dereference.
Severity CVSS v4.0: Pending analysis
Last modification:
09/04/2025

CVE-2009-4499

Publication date:
31/12/2009
SQL injection vulnerability in the get_history_lastid function in the nodewatcher component in Zabbix Server before 1.6.8 allows remote attackers to execute arbitrary SQL commands via a crafted request, possibly related to the send_history_last_id function in zabbix_server/trapper/nodehistory.c.
Severity CVSS v4.0: Pending analysis
Last modification:
09/04/2025

CVE-2009-4498

Publication date:
31/12/2009
The node_process_command function in Zabbix Server before 1.8 allows remote attackers to execute arbitrary commands via a crafted request.
Severity CVSS v4.0: Pending analysis
Last modification:
09/04/2025

CVE-2008-7250

Publication date:
30/12/2009
Cross-site scripting (XSS) vulnerability in Squid Analysis Report Generator (Sarg) 2.2.4 allows remote attackers to inject arbitrary web script or HTML via a JavaScript onload event in the User-Agent header, which is not properly handled when displaying the Squid proxy log. NOTE: this issue exists because of an incomplete fix for CVE-2008-1168.
Severity CVSS v4.0: Pending analysis
Last modification:
09/04/2025