Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2018-10076

Publication date:
02/07/2018
An issue was discovered in Zoho ManageEngine EventLog Analyzer 11.12. A Cross-Site Scripting vulnerability allows a remote attacker to inject arbitrary web script or HTML via the search functionality (the search box of the Dashboard).
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2018-12499

Publication date:
02/07/2018
The Motorola MBP853 firmware does not correctly validate server certificates. This allows for a Man in The Middle (MiTM) attack to take place between a Motorola MBP853 camera and the servers it communicates with. In one such instance, it was identified that the device was downloading what appeared to be a client certificate.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2018-12528

Publication date:
02/07/2018
An issue was discovered on Intex N150 devices. The backup/restore option does not check the file extension uploaded for importing a configuration files backup, which can lead to corrupting the router firmware settings or even the uploading of malicious files. In order to exploit the vulnerability, an attacker can upload any malicious file and force reboot the router with it.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2018-12529

Publication date:
02/07/2018
An issue was discovered on Intex N150 devices. The router firmware suffers from multiple CSRF injection point vulnerabilities including changing user passwords and router settings.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2018-12574

Publication date:
02/07/2018
CSRF exists for all actions in the web interface on TP-Link TL-WR841N v13 00000001 0.9.1 4.16 v0001.0 Build 180119 Rel.65243n devices.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2018-12575

Publication date:
02/07/2018
On TP-Link TL-WR841N v13 00000001 0.9.1 4.16 v0001.0 Build 171019 Rel.55346n devices, all actions in the web interface are affected by bypass of authentication via an HTTP request.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2018-12576

Publication date:
02/07/2018
TP-Link TL-WR841N v13 00000001 0.9.1 4.16 v0001.0 Build 180119 Rel.65243n devices allow clickjacking.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2018-12577

Publication date:
02/07/2018
The Ping and Traceroute features on TP-Link TL-WR841N v13 00000001 0.9.1 4.16 v0001.0 Build 180119 Rel.65243n devices allow authenticated blind Command Injection.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2018-9276

Publication date:
02/07/2018
An issue was discovered in PRTG Network Monitor before 18.2.39. An attacker who has access to the PRTG System Administrator web console with administrative privileges can exploit an OS command injection vulnerability (both on the server and on devices) by sending malformed parameters in sensor or notification management scenarios.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2018-13056

Publication date:
02/07/2018
An issue was discovered on zzcms 8.3. There is a vulnerability at /user/del.php that can delete any file by placing its relative path into the zzcms_main table and then making an img add request. This can be leveraged for database access by deleting install.lock.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2018-13054

Publication date:
02/07/2018
An issue was discovered in Cinnamon 1.9.2 through 3.8.6. The cinnamon-settings-users.py GUI runs as root and allows configuration of (for example) other users' icon files in _on_face_browse_menuitem_activated and _on_face_menuitem_activated. These icon files are written to the respective user's $HOME/.face location. If an unprivileged user prepares a symlink pointing to an arbitrary location, then this location will be overwritten with the icon content.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2018-10874

Publication date:
02/07/2018
In ansible it was found that inventory variables are loaded from current working directory when running ad-hoc command which are under attacker's control, allowing to run arbitrary code as a result.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026