Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2014-7840
Publication date:
12/12/2014
The host_from_stream_offset function in arch_init.c in QEMU, when loading RAM during migration, allows remote attackers to execute arbitrary code via a crafted (1) offset or (2) length value in savevm data.
Severity CVSS v4.0: Pending analysis
Last modification:
12/04/2025

CVE-2014-7136
Publication date:
12/12/2014
Heap-based buffer overflow in the K7FWFilt.sys kernel mode driver (aka K7Firewall Packet Driver) before 14.0.1.16, as used in multiple K7 Computing products, allows local users to execute arbitrary code with kernel privileges via a crafted parameter in a DeviceIoControl API call.
Severity CVSS v4.0: Pending analysis
Last modification:
12/04/2025

CVE-2014-6408
Publication date:
12/12/2014
Docker 1.3.0 through 1.3.1 allows remote attackers to modify the default run profile of image containers and possibly bypass the container by applying unspecified security options to an image.
Severity CVSS v4.0: Pending analysis
Last modification:
12/04/2025

CVE-2014-6407
Publication date:
12/12/2014
Docker before 1.3.2 allows remote attackers to write to arbitrary files and execute arbitrary code via a (1) symlink or (2) hard link attack in an image archive in a (a) pull or (b) load operation.
Severity CVSS v4.0: Pending analysis
Last modification:
12/04/2025

CVE-2014-6381
Publication date:
12/12/2014
Juniper WLC devices with WLAN Software releases 8.0.x before 8.0.4, 9.0.x before 9.0.2.11, 9.0.3.x before 9.0.3.5, and 9.1.x before 9.1.1, when "Proxy ARP" or "No Broadcast" features are enabled in a clustered setup, allows remote attackers to cause a denial of service (device disconnect) via unspecified vectors.
Severity CVSS v4.0: Pending analysis
Last modification:
12/04/2025

CVE-2013-4399
Publication date:
12/12/2014
The remoteClientFreeFunc function in daemon/remote.c in libvirt before 1.1.3, when ACLs are used, does not set an identity, which causes event handler removal to be denied and remote attackers to cause a denial of service (use-after-free and crash) by registering an event handler and then closing the connection.
Severity CVSS v4.0: Pending analysis
Last modification:
12/04/2025

CVE-2014-9365
Publication date:
12/12/2014
The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Severity CVSS v4.0: Pending analysis
Last modification:
12/04/2025

CVE-2014-8270
Publication date:
12/12/2014
BMC Track-It! 11.3 allows remote attackers to gain privileges and execute arbitrary code by creating an account whose name matches that of a local system account, then performing a password reset.
Severity CVSS v4.0: Pending analysis
Last modification:
12/04/2025

CVE-2014-7265
Publication date:
12/12/2014
Cross-site scripting (XSS) vulnerability in LinPHA allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Severity CVSS v4.0: Pending analysis
Last modification:
12/04/2025

CVE-2014-6316
Publication date:
12/12/2014
core/string_api.php in MantisBT before 1.2.18 does not properly categorize URLs when running under the web root, which allows remote attackers to conduct open redirect and phishing attacks via a crafted URL in the return parameter to login_page.php.
Severity CVSS v4.0: Pending analysis
Last modification:
12/04/2025

CVE-2014-6145
Publication date:
12/12/2014
Cross-site scripting (XSS) vulnerability in the server in IBM Cognos Business Intelligence 10.1 before IF10, 10.1.1 before IF9, 10.2 before IF11, 10.2.1 before IF8, and 10.2.1.1 before IF7 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.
Severity CVSS v4.0: Pending analysis
Last modification:
12/04/2025

CVE-2014-6138
Publication date:
12/12/2014
The IBM WebSphere DataPower XC10 appliance 2.1 and 2.5 before FP4 allows remote authenticated users to bypass intended grid-data access restrictions via unspecified vectors.
Severity CVSS v4.0: Pending analysis
Last modification:
12/04/2025
Subscribe to Vulnerabilities