{
"Source": "CVE FEED",
"Title": "CVE-2025-62423 - ClipBucket V5 Blind SQL injection in the Admin Panel",
"Content": "CVE ID : CVE-2025-62423
Published : Oct. 16, 2025, 7:15 p.m. | 41 minutes ago
Description : ClipBucket V5 provides open source video hosting with PHP. In version5.5.2 - #140 and earlier, a Blind SQL injection vulnerability exists in the Admin Areaโs โ/admin_area/login_as_user.phpโ file. Exploiting this vulnerability requires access privileges to the Admin Area.
Severity: 6.7 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-62423 - ClipBucket V5 Blind SQL injection in the Admin Panel",
"Content": "CVE ID : CVE-2025-62423
Published : Oct. 16, 2025, 7:15 p.m. | 41 minutes ago
Description : ClipBucket V5 provides open source video hosting with PHP. In version5.5.2 - #140 and earlier, a Blind SQL injection vulnerability exists in the Admin Areaโs โ/admin_area/login_as_user.phpโ file. Exploiting this vulnerability requires access privileges to the Admin Area.
Severity: 6.7 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-62414 - bagisto - Cross Site Scripting (XSS) in Create New Customer",
"Content": "CVE ID : CVE-2025-62414
Published : Oct. 16, 2025, 7:15 p.m. | 41 minutes ago
Description : Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the โCreate New Customerโ feature (in the admin panel) is vulnerable to Cross-Site Scripting (XSS). An attacker with access to the admin create-customer form can inject malicious JavaScript payloads into certain input fields. These payloads may later execute in the context of an adminโs browser or another user viewing the customer data, enabling session theft or admin-level actions. This vulnerability is fixed in 2.3.8.
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-62414 - bagisto - Cross Site Scripting (XSS) in Create New Customer",
"Content": "CVE ID : CVE-2025-62414
Published : Oct. 16, 2025, 7:15 p.m. | 41 minutes ago
Description : Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the โCreate New Customerโ feature (in the admin panel) is vulnerable to Cross-Site Scripting (XSS). An attacker with access to the admin create-customer form can inject malicious JavaScript payloads into certain input fields. These payloads may later execute in the context of an adminโs browser or another user viewing the customer data, enabling session theft or admin-level actions. This vulnerability is fixed in 2.3.8.
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-60855 - Reolink Video Doorbell WiFi Insufficient Firmware Signature Validation Arbitrary Code Execution Vulnerability",
"Content": "CVE ID : CVE-2025-60855
Published : Oct. 16, 2025, 7:15 p.m. | 41 minutes ago
Description : Reolink Video Doorbell WiFi DB_566128M5MP_W performs insufficient validation of firmware update signatures. This allows attackers to load malicious firmware images, resulting in arbitrary code execution with root privileges.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-60855 - Reolink Video Doorbell WiFi Insufficient Firmware Signature Validation Arbitrary Code Execution Vulnerability",
"Content": "CVE ID : CVE-2025-60855
Published : Oct. 16, 2025, 7:15 p.m. | 41 minutes ago
Description : Reolink Video Doorbell WiFi DB_566128M5MP_W performs insufficient validation of firmware update signatures. This allows attackers to load malicious firmware images, resulting in arbitrary code execution with root privileges.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-61514 - CoCalc SVG File Upload Remote Code Execution Vulnerability",
"Content": "CVE ID : CVE-2025-61514
Published : Oct. 16, 2025, 7:15 p.m. | 41 minutes ago
Description : An arbitrary file upload vulnerability in SageMath, Inc CoCalc before commit 0d2ff58 allows attackers to execute arbitrary code via uploading a crafted SVG file.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-61514 - CoCalc SVG File Upload Remote Code Execution Vulnerability",
"Content": "CVE ID : CVE-2025-61514
Published : Oct. 16, 2025, 7:15 p.m. | 41 minutes ago
Description : An arbitrary file upload vulnerability in SageMath, Inc CoCalc before commit 0d2ff58 allows attackers to execute arbitrary code via uploading a crafted SVG file.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-61553 - BitVisor VirtIO Network Device Emulation Out-of-Bounds Write Vulnerability",
"Content": "CVE ID : CVE-2025-61553
Published : Oct. 16, 2025, 7:15 p.m. | 41 minutes ago
Description : An out-of-bounds write in VirtIO network device emulation in BitVisor from commit 108df6 (2020-05-20) to commit 480907 (2025-07-06) allows local attackers to cause a denial of service (host hypervisor crash) via a crafted PCI configuration space access. Given it's a heap overflow in a privileged hypervisor context, exploitation may enable arbitrary code execution or guest-to-host privilege escalation.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-61553 - BitVisor VirtIO Network Device Emulation Out-of-Bounds Write Vulnerability",
"Content": "CVE ID : CVE-2025-61553
Published : Oct. 16, 2025, 7:15 p.m. | 41 minutes ago
Description : An out-of-bounds write in VirtIO network device emulation in BitVisor from commit 108df6 (2020-05-20) to commit 480907 (2025-07-06) allows local attackers to cause a denial of service (host hypervisor crash) via a crafted PCI configuration space access. Given it's a heap overflow in a privileged hypervisor context, exploitation may enable arbitrary code execution or guest-to-host privilege escalation.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-11852 - Apeman ID71 ONVIF Service device_service missing authentication",
"Content": "CVE ID : CVE-2025-11852
Published : Oct. 16, 2025, 7:15 p.m. | 41 minutes ago
Description : A vulnerability was found in Apeman ID71 218.53.203.117. The impacted element is an unknown function of the file /onvif/device_service of the component ONVIF Service. Performing manipulation results in missing authentication. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 5.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-11852 - Apeman ID71 ONVIF Service device_service missing authentication",
"Content": "CVE ID : CVE-2025-11852
Published : Oct. 16, 2025, 7:15 p.m. | 41 minutes ago
Description : A vulnerability was found in Apeman ID71 218.53.203.117. The impacted element is an unknown function of the file /onvif/device_service of the component ONVIF Service. Performing manipulation results in missing authentication. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 5.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-11853 - Sismics Teedy API Endpoint file access control",
"Content": "CVE ID : CVE-2025-11853
Published : Oct. 16, 2025, 7:15 p.m. | 41 minutes ago
Description : A vulnerability was determined in Sismics Teedy up to 1.11. This affects an unknown function of the file /api/file of the component API Endpoint. Executing manipulation can lead to improper access controls. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-11853 - Sismics Teedy API Endpoint file access control",
"Content": "CVE ID : CVE-2025-11853
Published : Oct. 16, 2025, 7:15 p.m. | 41 minutes ago
Description : A vulnerability was determined in Sismics Teedy up to 1.11. This affects an unknown function of the file /api/file of the component API Endpoint. Executing manipulation can lead to improper access controls. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-34253 - D-Link Nuclias Connect <= v1.3.1.4 stored cross-site scripting (xss)",
"Content": "CVE ID : CVE-2025-34253
Published : Oct. 16, 2025, 7:15 p.m. | 41 minutes ago
Description : D-Link Nuclias Connect firmware versions <=
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-34253 - D-Link Nuclias Connect <= v1.3.1.4 stored cross-site scripting (xss)",
"Content": "CVE ID : CVE-2025-34253
Published : Oct. 16, 2025, 7:15 p.m. | 41 minutes ago
Description : D-Link Nuclias Connect firmware versions <=
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-34254 - D-Link Nuclias Connect <= v1.3.1.4 login account enumeration",
"Content": "CVE ID : CVE-2025-34254
Published : Oct. 16, 2025, 7:15 p.m. | 41 minutes ago
Description : D-Link Nuclias Connect firmware versions <=
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-34254 - D-Link Nuclias Connect <= v1.3.1.4 login account enumeration",
"Content": "CVE ID : CVE-2025-34254
Published : Oct. 16, 2025, 7:15 p.m. | 41 minutes ago
Description : D-Link Nuclias Connect firmware versions <=
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-11493 - Self-Update Verification Mechanism Process in ConnectWise Automate",
"Content": "CVE ID : CVE-2025-11493
Published : Oct. 16, 2025, 7:15 p.m. | 41 minutes ago
Description : The ConnectWise Automate Agent does not fully verify the authenticity of files downloaded from the server, such as updates, dependencies, and integrations. This creates a risk where an on-path attacker could perform a man-in-the-middle attack and substitute malicious files for legitimate ones by impersonating a legitimate server. This risk is mitigated when HTTPS is enforced and is related to CVE-2025-11492.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-11493 - Self-Update Verification Mechanism Process in ConnectWise Automate",
"Content": "CVE ID : CVE-2025-11493
Published : Oct. 16, 2025, 7:15 p.m. | 41 minutes ago
Description : The ConnectWise Automate Agent does not fully verify the authenticity of files downloaded from the server, such as updates, dependencies, and integrations. This creates a risk where an on-path attacker could perform a man-in-the-middle attack and substitute malicious files for legitimate ones by impersonating a legitimate server. This risk is mitigated when HTTPS is enforced and is related to CVE-2025-11492.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-34255 - D-Link Nuclias Connect <= v1.3.1.4 forgot password account enumeration",
"Content": "CVE ID : CVE-2025-34255
Published : Oct. 16, 2025, 7:15 p.m. | 41 minutes ago
Description : D-Link Nuclias Connect firmware versions <=
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-34255 - D-Link Nuclias Connect <= v1.3.1.4 forgot password account enumeration",
"Content": "CVE ID : CVE-2025-34255
Published : Oct. 16, 2025, 7:15 p.m. | 41 minutes ago
Description : D-Link Nuclias Connect firmware versions <=
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-11492 - HTTP Configuration and Encryption in Transit",
"Content": "CVE ID : CVE-2025-11492
Published : Oct. 16, 2025, 7:15 p.m. | 41 minutes ago
Description : In the ConnectWise Automate Agent, communications could be configured to use HTTP instead of HTTPS. In such cases, an on-path threat actor with a man-in-the-middle network position could intercept, modify, or replay agent-server traffic. Additionally, the encryption method used to obfuscate some communications over the HTTP channel is updated in the Automate 2025.9 patch to enforce HTTPS for all agent communications.
Severity: 9.6 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-11492 - HTTP Configuration and Encryption in Transit",
"Content": "CVE ID : CVE-2025-11492
Published : Oct. 16, 2025, 7:15 p.m. | 41 minutes ago
Description : In the ConnectWise Automate Agent, communications could be configured to use HTTP instead of HTTPS. In such cases, an on-path threat actor with a man-in-the-middle network position could intercept, modify, or replay agent-server traffic. Additionally, the encryption method used to obfuscate some communications over the HTTP channel is updated in the Automate 2025.9 patch to enforce HTTPS for all agent communications.
Severity: 9.6 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-62413 - MQTTX vulnerable to cross-site scripting via improper message payload rendering",
"Content": "CVE ID : CVE-2025-62413
Published : Oct. 16, 2025, 6:15 p.m. | 1 hour, 41 minutes ago
Description : MQTTX is an MQTT 5.0 desktop client and MQTT testing tool. A Cross-Site Scripting (XSS) vulnerability was introduced in MQTTX v1.12.0 due to improper handling of MQTT message payload rendering. Malicious payloads containing HTML or JavaScript could be rendered directly in the MQTTX message viewer. If exploited, this could allow attackers to execute arbitrary scripts in the context of the application UI โ for example, attempting to access MQTT connection credentials or trigger unintended actions through script injection. This vulnerability is especially relevant when MQTTX is used with brokers in untrusted or multi-tenant environments, where message content cannot be fully controlled. This vulnerability is fixed in 1.12.1.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-62413 - MQTTX vulnerable to cross-site scripting via improper message payload rendering",
"Content": "CVE ID : CVE-2025-62413
Published : Oct. 16, 2025, 6:15 p.m. | 1 hour, 41 minutes ago
Description : MQTTX is an MQTT 5.0 desktop client and MQTT testing tool. A Cross-Site Scripting (XSS) vulnerability was introduced in MQTTX v1.12.0 due to improper handling of MQTT message payload rendering. Malicious payloads containing HTML or JavaScript could be rendered directly in the MQTTX message viewer. If exploited, this could allow attackers to execute arbitrary scripts in the context of the application UI โ for example, attempting to access MQTT connection credentials or trigger unintended actions through script injection. This vulnerability is especially relevant when MQTTX is used with brokers in untrusted or multi-tenant environments, where message content cannot be fully controlled. This vulnerability is fixed in 1.12.1.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-62504 - Envoy Lua filter use-after-free when oversized rewritten response body causes crash",
"Content": "CVE ID : CVE-2025-62504
Published : Oct. 16, 2025, 9:23 p.m. | 36 minutes ago
Description : Envoy is an open source edge and service proxy. Envoy versions earlier than 1.36.2, 1.35.6, 1.34.10, and 1.33.12 contain a use-after-free vulnerability in the Lua filter. When a Lua script executing in the response phase rewrites a response body so that its size exceeds the configured per_connection_buffer_limit_bytes (default 1MB), Envoy generates a local reply whose headers override the original response headers, leaving dangling references and causing a crash. This results in denial of service. Updating to versions 1.36.2, 1.35.6, 1.34.10, or 1.33.12 fixes the issue. Increasing per_connection_buffer_limit_bytes (and for HTTP/2 the initial_stream_window_size) or increasing per_request_buffer_limit_bytes / request_body_buffer_limit can reduce the likelihood of triggering the condition but does not correct the underlying memory safety flaw.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-62504 - Envoy Lua filter use-after-free when oversized rewritten response body causes crash",
"Content": "CVE ID : CVE-2025-62504
Published : Oct. 16, 2025, 9:23 p.m. | 36 minutes ago
Description : Envoy is an open source edge and service proxy. Envoy versions earlier than 1.36.2, 1.35.6, 1.34.10, and 1.33.12 contain a use-after-free vulnerability in the Lua filter. When a Lua script executing in the response phase rewrites a response body so that its size exceeds the configured per_connection_buffer_limit_bytes (default 1MB), Envoy generates a local reply whose headers override the original response headers, leaving dangling references and causing a crash. This results in denial of service. Updating to versions 1.36.2, 1.35.6, 1.34.10, or 1.33.12 fixes the issue. Increasing per_connection_buffer_limit_bytes (and for HTTP/2 the initial_stream_window_size) or increasing per_request_buffer_limit_bytes / request_body_buffer_limit can reduce the likelihood of triggering the condition but does not correct the underlying memory safety flaw.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-62506 - MinIO vulnerable to privilege escalation via session policy bypass in service accounts and STS",
"Content": "CVE ID : CVE-2025-62506
Published : Oct. 16, 2025, 9:17 p.m. | 43 minutes ago
Description : MinIO is a high-performance object storage system. In all versions prior to RELEASE.2025-10-15T17-29-55Z, a privilege escalation vulnerability allows service accounts and STS (Security Token Service) accounts with restricted session policies to bypass their inline policy restrictions when performing operations on their own account, specifically when creating new service accounts for the same user. The vulnerability exists in the IAM policy validation logic where the code incorrectly relied on the DenyOnly argument when validating session policies for restricted accounts. When a session policy is present, the system should validate that the action is allowed by the session policy, not just that it is not denied. An attacker with valid credentials for a restricted service or STS account can create a new service account for itself without policy restrictions, resulting in a new service account with full parent privileges instead of being restricted by the inline policy. This allows the attacker to access buckets and objects beyond their intended restrictions and modify, delete, or create objects outside their authorized scope. The vulnerability is fixed in version RELEASE.2025-10-15T17-29-55Z.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-62506 - MinIO vulnerable to privilege escalation via session policy bypass in service accounts and STS",
"Content": "CVE ID : CVE-2025-62506
Published : Oct. 16, 2025, 9:17 p.m. | 43 minutes ago
Description : MinIO is a high-performance object storage system. In all versions prior to RELEASE.2025-10-15T17-29-55Z, a privilege escalation vulnerability allows service accounts and STS (Security Token Service) accounts with restricted session policies to bypass their inline policy restrictions when performing operations on their own account, specifically when creating new service accounts for the same user. The vulnerability exists in the IAM policy validation logic where the code incorrectly relied on the DenyOnly argument when validating session policies for restricted accounts. When a session policy is present, the system should validate that the action is allowed by the session policy, not just that it is not denied. An attacker with valid credentials for a restricted service or STS account can create a new service account for itself without policy restrictions, resulting in a new service account with full parent privileges instead of being restricted by the inline policy. This allows the attacker to access buckets and objects beyond their intended restrictions and modify, delete, or create objects outside their authorized scope. The vulnerability is fixed in version RELEASE.2025-10-15T17-29-55Z.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2024-42192 - HCL Traveler for Microsoft Outlook (HTMO) is susceptible to a credential leakage",
"Content": "CVE ID : CVE-2024-42192
Published : Oct. 16, 2025, 9:15 p.m. | 44 minutes ago
Description : HCL Traveler for Microsoft Outlook (HTMO) is susceptible to a credential leakage which could allow an attacker to access other computers or applications.
Severity: 5.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2024-42192 - HCL Traveler for Microsoft Outlook (HTMO) is susceptible to a credential leakage",
"Content": "CVE ID : CVE-2024-42192
Published : Oct. 16, 2025, 9:15 p.m. | 44 minutes ago
Description : HCL Traveler for Microsoft Outlook (HTMO) is susceptible to a credential leakage which could allow an attacker to access other computers or applications.
Severity: 5.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-11864 - NucleoidAI Nucleoid Outbound Request cluster.ts extension.apply server-side request forgery",
"Content": "CVE ID : CVE-2025-11864
Published : Oct. 16, 2025, 9:15 p.m. | 44 minutes ago
Description : A vulnerability was identified in NucleoidAI Nucleoid up to 0.7.10. The impacted element is the function extension.apply of the file /src/cluster.ts of the component Outbound Request Handler. Such manipulation of the argument https/ip/port/path/headers leads to server-side request forgery. The attack may be performed from remote.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-11864 - NucleoidAI Nucleoid Outbound Request cluster.ts extension.apply server-side request forgery",
"Content": "CVE ID : CVE-2025-11864
Published : Oct. 16, 2025, 9:15 p.m. | 44 minutes ago
Description : A vulnerability was identified in NucleoidAI Nucleoid up to 0.7.10. The impacted element is the function extension.apply of the file /src/cluster.ts of the component Outbound Request Handler. Such manipulation of the argument https/ip/port/path/headers leads to server-side request forgery. The attack may be performed from remote.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-61554 - BitVisor VirtIO Network Device Emulation Divide-by-Zero Denial of Service Vulnerability",
"Content": "CVE ID : CVE-2025-61554
Published : Oct. 16, 2025, 8:15 p.m. | 1 hour, 44 minutes ago
Description : A divide-by-zero in VirtIO network device emulation in BitVisor from commit 108df6 (2020-05-20) to commit 480907 (2025-07-06) allows local attackers to cause a denial of service (host hypervisor crash) via a crafted PCI configuration space access.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-61554 - BitVisor VirtIO Network Device Emulation Divide-by-Zero Denial of Service Vulnerability",
"Content": "CVE ID : CVE-2025-61554
Published : Oct. 16, 2025, 8:15 p.m. | 1 hour, 44 minutes ago
Description : A divide-by-zero in VirtIO network device emulation in BitVisor from commit 108df6 (2020-05-20) to commit 480907 (2025-07-06) allows local attackers to cause a denial of service (host hypervisor crash) via a crafted PCI configuration space access.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-60358 - Radare2 Memory Leak Vulnerability",
"Content": "CVE ID : CVE-2025-60358
Published : Oct. 16, 2025, 8:15 p.m. | 1 hour, 44 minutes ago
Description : radare2 v.5.9.8 and before contains a memory leak in the function _load_relocations.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-60358 - Radare2 Memory Leak Vulnerability",
"Content": "CVE ID : CVE-2025-60358
Published : Oct. 16, 2025, 8:15 p.m. | 1 hour, 44 minutes ago
Description : radare2 v.5.9.8 and before contains a memory leak in the function _load_relocations.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-11896 - Stack overflow in Xpdf 4.05 due to object loop in PDF CMap",
"Content": "CVE ID : CVE-2025-11896
Published : Oct. 16, 2025, 10:15 p.m. | 1 hour, 46 minutes ago
Description : In Xpdf 4.05 (and earlier), a PDF object loop in a CMap, via the "UseCMap" entry, leads to infinite recursion and a stack overflow.
Severity: 2.1 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "17 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-11896 - Stack overflow in Xpdf 4.05 due to object loop in PDF CMap",
"Content": "CVE ID : CVE-2025-11896
Published : Oct. 16, 2025, 10:15 p.m. | 1 hour, 46 minutes ago
Description : In Xpdf 4.05 (and earlier), a PDF object loop in a CMap, via the "UseCMap" entry, leads to infinite recursion and a stack overflow.
Severity: 2.1 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "17 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-11900 - HGiga๏ฝiSherlock - OS Command Injection",
"Content": "CVE ID : CVE-2025-11900
Published : Oct. 17, 2025, 3:50 a.m. | 19 minutes ago
Description : The iSherlock developed by HGiga has an OS Command Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary OS commands and execute them on the server.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "17 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-11900 - HGiga๏ฝiSherlock - OS Command Injection",
"Content": "CVE ID : CVE-2025-11900
Published : Oct. 17, 2025, 3:50 a.m. | 19 minutes ago
Description : The iSherlock developed by HGiga has an OS Command Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary OS commands and execute them on the server.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "17 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น