Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2018-10117

Publication date:
16/04/2018
An issue was discovered in idreamsoft iCMS V7.0.7. There is a CSRF vulnerability that can add an admin account via admincp.php?app=members&do=save&frame=iPHP.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2018-10118

Publication date:
16/04/2018
Monstra CMS 3.0.4 has Stored XSS via the Name field on the Create New Page screen under the admin/index.php?id=pages URI, related to plugins/box/pages/pages.admin.php.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2018-10119

Publication date:
16/04/2018
sot/source/sdstor/stgstrms.cxx in LibreOffice before 5.4.5.1 and 6.x before 6.0.1.1 uses an incorrect integer data type in the StgSmallStrm class, which allows remote attackers to cause a denial of service (use-after-free with write access) or possibly have unspecified other impact via a crafted document that uses the structured storage ole2 wrapper file format.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2018-10120

Publication date:
16/04/2018
The SwCTBWrapper::Read function in sw/source/filter/ww8/ww8toolbar.cxx in LibreOffice before 5.4.6.1 and 6.x before 6.0.2.1 does not validate a customizations index, which allows remote attackers to cause a denial of service (heap-based buffer overflow with write access) or possibly have unspecified other impact via a crafted document that contains a certain Microsoft Word record.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2018-10121

Publication date:
16/04/2018
plugins/box/pages/pages.admin.php in Monstra CMS 3.0.4 has a stored XSS vulnerability when an attacker has access to the editor role, and enters the payload in the title section of an admin/index.php?id=pages&action=edit_page&name=error404 (aka Edit 404 page) action.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2018-10122

Publication date:
16/04/2018
QingDao Nature Easy Soft Chanzhi Enterprise Portal System (aka chanzhieps) pro1.6 allows remote attackers to read arbitrary files via directory traversal sequences in the pathname parameter to www/file.php.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2018-10097

Publication date:
16/04/2018
XSS exists in Domain Trader 2.5.3 via the recoverlogin.php email_address parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2018-10100

Publication date:
16/04/2018
Before WordPress 4.9.5, the redirection URL for the login page was not validated or sanitized if forced to use HTTPS.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2018-10101

Publication date:
16/04/2018
Before WordPress 4.9.5, the URL validator assumed URLs with the hostname localhost were on the same host as the WordPress server.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2018-10102

Publication date:
16/04/2018
Before WordPress 4.9.5, the version string was not escaped in the get_the_generator function, and could lead to XSS in a generator tag.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2018-10106

Publication date:
16/04/2018
D-Link DIR-815 REV. B (with firmware through DIR-815_REVB_FIRMWARE_PATCH_2.07.B01) devices have permission bypass and information disclosure in /htdocs/web/getcfg.php, as demonstrated by a /getcfg.php?a=%0a_POST_SERVICES%3DDEVICE.ACCOUNT%0aAUTHORIZED_GROUP%3D1 request.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2018-10107

Publication date:
16/04/2018
D-Link DIR-815 REV. B (with firmware through DIR-815_REVB_FIRMWARE_PATCH_2.07.B01) devices have XSS in the RESULT parameter to /htdocs/webinc/js/info.php.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026