Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2018-1000520

Publication date:
26/06/2018
ARM mbedTLS version 2.7.0 and earlier contains a Ciphersuite Allows Incorrectly Signed Certificates vulnerability in mbedtls_ssl_get_verify_result() that can result in ECDSA-signed certificates are accepted, when only RSA-signed ones should be.. This attack appear to be exploitable via Peers negotiate a TLS-ECDH-RSA-* ciphersuite. Any of the peers can then provide an ECDSA-signed certificate, when only an RSA-signed one should be accepted..
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2018-1000521

Publication date:
26/06/2018
BigTree-CMS contains a Cross Site Scripting (XSS) vulnerability in /users/create that can result in The low-privileged users can use this vulnerability to attack high-privileged(Developer) users.. This attack appear to be exploitable via no. This vulnerability appears to have been fixed in after commit b652cfdc14d0670c81ac4401ad5a04376745c279.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2018-1000523

Publication date:
26/06/2018
topydo contains a CWE-20: Improper Input Validation vulnerability in ListFormatParser::parse, file topydo/lib/ListFormat.py line 292 as of d4f843dac71308b2f29a7c2cdc76f055c3841523 that can result in Injection of arbitrary bytes to the terminal, including terminal escape code sequences. This attack appear to be exploitable via The victim must open a todo.txt with at least one specially crafted line..
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2018-1000524

Publication date:
26/06/2018
miniSphere version 5.2.9 and earlier contains a Integer Overflow vulnerability in layer_resize() function in map_engine.c that can result in remote denial of service. This attack appear to be exploitable via the victim must load a specially-crafted map which calls SetLayerSize in its entry script. This vulnerability appears to have been fixed in 5.0.3, 5.1.5, 5.2.10 and later.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2018-1000525

Publication date:
26/06/2018
openpsa contains a PHP Object Injection vulnerability in Form data passed as GET request variables that can result in Possible information disclosure and remote code execution. This attack appear to be exploitable via Specially crafted GET request variable containing serialised PHP object. This vulnerability appears to have been fixed in after commit 097eae0.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2018-1000526

Publication date:
26/06/2018
Openpsa contains a XML Injection vulnerability in RSS file upload feature that can result in Remote denial of service. This attack appear to be exploitable via Specially crafted XML file. This vulnerability appears to have been fixed in after commit 4974a26.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2018-1000527

Publication date:
26/06/2018
Froxlor version
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2018-1000528

Publication date:
26/06/2018
GONICUS GOsa version before commit 56070d6289d47ba3f5918885954dcceb75606001 contains a Cross Site Scripting (XSS) vulnerability in change password form (html/password.php, #308) that can result in injection of arbitrary web script or HTML. This attack appear to be exploitable via the victim must open a specially crafted web page. This vulnerability appears to have been fixed in after commit 56070d6289d47ba3f5918885954dcceb75606001.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2018-1000529

Publication date:
26/06/2018
Grails Fields plugin version 2.2.7 contains a Cross Site Scripting (XSS) vulnerability in Using the display tag that can result in XSS . This vulnerability appears to have been fixed in 2.2.8.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2018-1000531

Publication date:
26/06/2018
inversoft prime-jwt version prior to commit abb0d479389a2509f939452a6767dc424bb5e6ba contains a CWE-20 vulnerability in JWTDecoder.decode that can result in an incorrect signature validation of a JWT token. This attack can be exploitable when an attacker crafts a JWT token with a valid header using 'none' as algorithm and a body to requests it be validated. This vulnerability was fixed after commit abb0d479389a2509f939452a6767dc424bb5e6ba.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2018-1000532

Publication date:
26/06/2018
beep version 1.3 and up contains a External Control of File Name or Path vulnerability in --device option that can result in Local unprivileged user can inhibit execution of arbitrary programs by other users, allowing DoS. This attack appear to be exploitable via The system must allow local users to run beep.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2018-1000533

Publication date:
26/06/2018
klaussilveira GitList version
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026