Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2018-11502

Publication date:
24/08/2018
An issue was discovered in the Moderator Log Notes plugin 1.1 for MyBB. It allows moderators to save notes and display them in a list in the modCP. An attacker can remotely delete all mod notes and mod note logs in the modCP and ACP via CSRF.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2018-11653

Publication date:
24/08/2018
Information disclosure in Netwave IP camera at //etc/RT2870STA.dat (via HTTP on port 8000) allows an unauthenticated attacker to exfiltrate sensitive information about the network configuration like the network SSID and password.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2018-11654

Publication date:
24/08/2018
Information disclosure in Netwave IP camera at get_status.cgi (via HTTP on port 8000) allows an unauthenticated attacker to exfiltrate sensitive information from the device.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2018-15576

Publication date:
24/08/2018
An issue was discovered in EasyLogin Pro through 1.3.0. Encryptor.php contains an unserialize call that can be exploited for remote code execution in the decrypt function, if the attacker knows the key.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2018-3786

Publication date:
24/08/2018
A command injection vulnerability in egg-scripts
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2018-15605

Publication date:
24/08/2018
An issue was discovered in phpMyAdmin before 4.8.3. A Cross-Site Scripting vulnerability has been found where an attacker can use a crafted file to manipulate an authenticated user who loads that file through the import feature.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2018-15728

Publication date:
24/08/2018
Couchbase Server exposed the '/diag/eval' endpoint which by default is available on TCP/8091 and/or TCP/18091. Authenticated users that have 'Full Admin' role assigned could send arbitrary Erlang code to the 'diag/eval' endpoint of the API and the code would subsequently be executed in the underlying operating system with privileges of the user which was used to start Couchbase. Affects Version: 4.0.0, 4.1.2, 4.5.1, 5.0.0, 4.6.5, 5.0.1, 5.1.1, 5.5.0, 5.5.1. Fix Version: 6.0.0, 5.5.2
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2017-12577

Publication date:
24/08/2018
An issue was discovered on the PLANEX CS-QR20 1.30. A hardcoded account / password ("admin:password") is used in the Android application that allows attackers to use a hidden API URL "/goform/SystemCommand" to execute any command with root permission.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2018-15120

Publication date:
24/08/2018
libpango in Pango 1.40.8 through 1.42.3, as used in hexchat and other products, allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted text with invalid Unicode sequences.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2018-14598

Publication date:
24/08/2018
An issue was discovered in XListExtensions in ListExt.c in libX11 through 1.6.5. A malicious server can send a reply in which the first string overflows, causing a variable to be set to NULL that will be freed later on, leading to DoS (segmentation fault).
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2018-14599

Publication date:
24/08/2018
An issue was discovered in libX11 through 1.6.5. The function XListExtensions in ListExt.c is vulnerable to an off-by-one error caused by malicious server responses, leading to DoS or possibly unspecified other impact.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2018-14600

Publication date:
24/08/2018
An issue was discovered in libX11 through 1.6.5. The function XListExtensions in ListExt.c interprets a variable as signed instead of unsigned, resulting in an out-of-bounds write (of up to 128 bytes), leading to DoS or remote code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026