Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2018-1000127

Publication date:
13/03/2018
memcached version prior to 1.4.37 contains an Integer Overflow vulnerability in items.c:item_free() that can result in data corruption and deadlocks due to items existing in hash table being reused from free list. This attack appear to be exploitable via network connectivity to the memcached service. This vulnerability appears to have been fixed in 1.4.37 and later.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2018-1227

Publication date:
13/03/2018
Pivotal Concourse after 2018-03-05 might allow remote attackers to have an unspecified impact, if a customer obtained the Concourse software from a DNS domain that is no longer controlled by Pivotal. The original domain for the Concourse CI (concourse-dot-ci) open source project has been registered by an unknown actor, and is therefore no longer the official website for Concourse CI. The new official domain is concourse-ci.org. At approximately 4 am EDT on March 7, 2018 the Concourse OSS team began receiving reports that the Concourse domain was not responding. The Concourse OSS team discovered, upon investigation with both the original and the new domain registrars, that the originating domain registrar had made the domain available for purchase. This was done despite the domain being renewed by the Concourse OSS team through August 2018. For a customer to be affected, they would have needed to access a download from a "concourse-dot-ci" domain web site after March 6, 2018 18:00:00 EST. Accessing that domain is NOT recommended by Pivotal. Anyone who had been using that domain should immediately begin using the concourse-ci.org domain instead. Customers can also safely access Concourse software from the traditionally available locations on the Pivotal Network or GitHub.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2017-16250

Publication date:
13/03/2018
A vulnerability in Mitel ST 14.2, release GA28 and earlier, could allow an attacker to use the API function to enumerate through user-ids which could be used to identify valid user ids and associated user names.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2017-16251

Publication date:
13/03/2018
A vulnerability in the conferencing component of Mitel ST 14.2, release GA28 and earlier, could allow an authenticated user to upload a malicious script to the Personal Library by a crafted POST request. Successful exploit could allow an attacker to execute arbitrary code within the context of the application.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2018-7405

Publication date:
13/03/2018
Cross-site scripting (XSS) in Zoho ManageEngine EventLog Analyzer before 11.12 Build 11120 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2017-17442

Publication date:
13/03/2018
In BlackBerry UEM Management Console version 12.7.1 and earlier, a reflected cross-site scripting vulnerability that could allow an attacker to execute script commands in the context of the affected UEM Management Console account by crafting a malicious link and then persuading a user with legitimate access to the Management Console to click on the malicious link.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2018-7750

Publication date:
13/03/2018
transport.py in the SSH server implementation of Paramiko before 1.17.6, 1.18.x before 1.18.5, 2.0.x before 2.0.8, 2.1.x before 2.1.5, 2.2.x before 2.2.3, 2.3.x before 2.3.2, and 2.4.x before 2.4.1 does not properly check whether authentication is completed before processing other requests, as demonstrated by channel-open. A customized SSH client can simply skip the authentication step.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2017-1002101

Publication date:
13/03/2018
In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to versions 1.7.14, 1.8.9 and 1.9.4 containers using subpath volume mounts with any volume type (including non-privileged pods, subject to file permissions) can access files/directories outside of the volume, including the host's filesystem.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2017-1002102

Publication date:
13/03/2018
In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to versions 1.7.14, 1.8.9 and 1.9.4 containers using a secret, configMap, projected or downwardAPI volume can trigger deletion of arbitrary files/directories from the nodes where they are running.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2018-6294

Publication date:
13/03/2018
Unsecured way of firmware update in Hanwha Techwin Smartcams
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2018-6295

Publication date:
13/03/2018
Unencrypted way of remote control and communications in Hanwha Techwin Smartcams
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2018-6296

Publication date:
13/03/2018
An undocumented (hidden) capability for switching the web interface in Hanwha Techwin Smartcams
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026