{
"Source": "CVE FEED",
"Title": "CVE-2025-11895 - Binary MLM Plan <= 3.0 - authenticated (subscriber+) insecure direct object reference",
"Content": "CVE ID : CVE-2025-11895
Published : Oct. 17, 2025, 9:26 a.m. | 52 minutes ago
Description : The Binary MLM Plan plugin for WordPress is vulnerable to insecure direct object reference in versions up to, and including, 3.0. This is due to the bmp_user_payout_detail_of_current_user() function selecting payout records solely by id without verifying ownership. This makes it possible for authenticated attackers with the bmp_user role (often subscribers) to view other members' payout summaries via direct requests to the /bmp-account-detail/ endpoint with a crafted payout-id parameter granted they can access the shortcode output.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "17 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-11895 - Binary MLM Plan <= 3.0 - authenticated (subscriber+) insecure direct object reference",
"Content": "CVE ID : CVE-2025-11895
Published : Oct. 17, 2025, 9:26 a.m. | 52 minutes ago
Description : The Binary MLM Plan plugin for WordPress is vulnerable to insecure direct object reference in versions up to, and including, 3.0. This is due to the bmp_user_payout_detail_of_current_user() function selecting payout records solely by id without verifying ownership. This makes it possible for authenticated attackers with the bmp_user role (often subscribers) to view other members' payout summaries via direct requests to the /bmp-account-detail/ endpoint with a crafted payout-id parameter granted they can access the shortcode output.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "17 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2023-28814 - Hikvision iSecure Center Improper File Upload Vulnerability",
"Content": "CVE ID : CVE-2023-28814
Published : Oct. 17, 2025, 11:15 a.m. | 1 hour, 5 minutes ago
Description : Some versions of Hikvision's iSecure Center Product have an improper file upload control vulnerability. Due to the improper verification of file to be uploaded, attackers may upload malicious files to the server. iSecure Center is software released for China's domestic market only, with no overseas release.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "17 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2023-28814 - Hikvision iSecure Center Improper File Upload Vulnerability",
"Content": "CVE ID : CVE-2023-28814
Published : Oct. 17, 2025, 11:15 a.m. | 1 hour, 5 minutes ago
Description : Some versions of Hikvision's iSecure Center Product have an improper file upload control vulnerability. Due to the improper verification of file to be uploaded, attackers may upload malicious files to the server. iSecure Center is software released for China's domestic market only, with no overseas release.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "17 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2023-28815 - Hikvision iSecure Center Command Injection Vulnerability",
"Content": "CVE ID : CVE-2023-28815
Published : Oct. 17, 2025, 11:07 a.m. | 1 hour, 13 minutes ago
Description : Some versions of Hikvision's iSecure Center Product contain insufficient parameter validation, resulting in a command injection vulnerability. Attackers may exploit this to gain platform privileges and execute arbitrary commands on the system.iSecure Center is software released for China's domestic market only, with no overseas release.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "17 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2023-28815 - Hikvision iSecure Center Command Injection Vulnerability",
"Content": "CVE ID : CVE-2023-28815
Published : Oct. 17, 2025, 11:07 a.m. | 1 hour, 13 minutes ago
Description : Some versions of Hikvision's iSecure Center Product contain insufficient parameter validation, resulting in a command injection vulnerability. Attackers may exploit this to gain platform privileges and execute arbitrary commands on the system.iSecure Center is software released for China's domestic market only, with no overseas release.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "17 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-48087 - WordPress Memberlite Shortcodes plugin <= 1.4.1 - cross site scripting (xss) vulnerability",
"Content": "CVE ID : CVE-2025-48087
Published : Oct. 17, 2025, 2:18 p.m. | 12 minutes ago
Description : Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jason C. Memberlite Shortcodes memberlite-shortcodes allows Stored XSS.This issue affects Memberlite Shortcodes: from n/a through 1.4.1.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "17 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-48087 - WordPress Memberlite Shortcodes plugin <= 1.4.1 - cross site scripting (xss) vulnerability",
"Content": "CVE ID : CVE-2025-48087
Published : Oct. 17, 2025, 2:18 p.m. | 12 minutes ago
Description : Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jason C. Memberlite Shortcodes memberlite-shortcodes allows Stored XSS.This issue affects Memberlite Shortcodes: from n/a through 1.4.1.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "17 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-60360 - Radare2 Memory Leak Vulnerability",
"Content": "CVE ID : CVE-2025-60360
Published : Oct. 17, 2025, 2:15 p.m. | 14 minutes ago
Description : radare2 v5.9.8 and before contains a memory leak in the function r2r_subprocess_init.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "17 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-60360 - Radare2 Memory Leak Vulnerability",
"Content": "CVE ID : CVE-2025-60360
Published : Oct. 17, 2025, 2:15 p.m. | 14 minutes ago
Description : radare2 v5.9.8 and before contains a memory leak in the function r2r_subprocess_init.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "17 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-11903 - yanyutao0402 ChanCMS update sql injection",
"Content": "CVE ID : CVE-2025-11903
Published : Oct. 17, 2025, 2:15 p.m. | 14 minutes ago
Description : A flaw has been found in yanyutao0402 ChanCMS up to 3.3.2. Affected by this issue is the function update of the file /cms/article/update. Executing manipulation of the argument cid can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "17 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-11903 - yanyutao0402 ChanCMS update sql injection",
"Content": "CVE ID : CVE-2025-11903
Published : Oct. 17, 2025, 2:15 p.m. | 14 minutes ago
Description : A flaw has been found in yanyutao0402 ChanCMS up to 3.3.2. Affected by this issue is the function update of the file /cms/article/update. Executing manipulation of the argument cid can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "17 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-48044 - Authorization bypass when bypass policy condition evaluates to true",
"Content": "CVE ID : CVE-2025-48044
Published : Oct. 17, 2025, 2:15 p.m. | 14 minutes ago
Description : Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass. This vulnerability is associated with program files lib/ash/policy/policy.ex and program routines 'Elixir.Ash.Policy.Policy':expression/2.
This issue affects ash: from pkg:hex/ash@3.6.3 before pkg:hex/ash@3.7.1, from 3.6.3 before 3.7.1, from 79749c2685ea031ebb2de8cf60cc5edced6a8dd0 before 8b83efa225f657bfc3656ad8ee8485f9b2de923d.
Severity: 8.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "17 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-48044 - Authorization bypass when bypass policy condition evaluates to true",
"Content": "CVE ID : CVE-2025-48044
Published : Oct. 17, 2025, 2:15 p.m. | 14 minutes ago
Description : Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass. This vulnerability is associated with program files lib/ash/policy/policy.ex and program routines 'Elixir.Ash.Policy.Policy':expression/2.
This issue affects ash: from pkg:hex/ash@3.6.3 before pkg:hex/ash@3.7.1, from 3.6.3 before 3.7.1, from 79749c2685ea031ebb2de8cf60cc5edced6a8dd0 before 8b83efa225f657bfc3656ad8ee8485f9b2de923d.
Severity: 8.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "17 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-60359 - Radare2 Bin Object Memory Leak",
"Content": "CVE ID : CVE-2025-60359
Published : Oct. 17, 2025, 2:15 p.m. | 14 minutes ago
Description : radare2 v5.9.8 and before contains a memory leak in the function r_bin_object_new.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "17 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-60359 - Radare2 Bin Object Memory Leak",
"Content": "CVE ID : CVE-2025-60359
Published : Oct. 17, 2025, 2:15 p.m. | 14 minutes ago
Description : radare2 v5.9.8 and before contains a memory leak in the function r_bin_object_new.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "17 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-11902 - yanyutao0402 ChanCMS findField sql injection",
"Content": "CVE ID : CVE-2025-11902
Published : Oct. 17, 2025, 2:15 p.m. | 14 minutes ago
Description : A vulnerability was detected in yanyutao0402 ChanCMS up to 3.3.2. Affected by this vulnerability is the function findField of the file /cms/article/findField. Performing manipulation of the argument cid results in sql injection. The attack can be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "17 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-11902 - yanyutao0402 ChanCMS findField sql injection",
"Content": "CVE ID : CVE-2025-11902
Published : Oct. 17, 2025, 2:15 p.m. | 14 minutes ago
Description : A vulnerability was detected in yanyutao0402 ChanCMS up to 3.3.2. Affected by this vulnerability is the function findField of the file /cms/article/findField. Performing manipulation of the argument cid results in sql injection. The attack can be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "17 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-62168 - Squid vulnerable to information disclosure via authentication credential leakage in error handling",
"Content": "CVE ID : CVE-2025-62168
Published : Oct. 17, 2025, 4:21 p.m. | 9 minutes ago
Description : Squid is a caching proxy for the Web. In Squid versions prior to 7.2, a failure to redact HTTP authentication credentials in error handling allows information disclosure. The vulnerability allows a script to bypass browser security protections and learn the credentials a trusted client uses to authenticate. This potentially allows a remote client to identify security tokens or credentials used internally by a web application using Squid for backend load balancing. These attacks do not require Squid to be configured with HTTP authentication. The vulnerability is fixed in version 7.2. As a workaround, disable debug information in administrator mailto links generated by Squid by configuring squid.conf with email_err_data off.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "17 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-62168 - Squid vulnerable to information disclosure via authentication credential leakage in error handling",
"Content": "CVE ID : CVE-2025-62168
Published : Oct. 17, 2025, 4:21 p.m. | 9 minutes ago
Description : Squid is a caching proxy for the Web. In Squid versions prior to 7.2, a failure to redact HTTP authentication credentials in error handling allows information disclosure. The vulnerability allows a script to bypass browser security protections and learn the credentials a trusted client uses to authenticate. This potentially allows a remote client to identify security tokens or credentials used internally by a web application using Squid for backend load balancing. These attacks do not require Squid to be configured with HTTP authentication. The vulnerability is fixed in version 7.2. As a workaround, disable debug information in administrator mailto links generated by Squid by configuring squid.conf with email_err_data off.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "17 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-8414 - Zigbee Green Power Host Buffer Overflow Vulnerability",
"Content": "CVE ID : CVE-2025-8414
Published : Oct. 17, 2025, 4:15 p.m. | 15 minutes ago
Description : Due to improper input validation, a buffer overflow vulnerability is present in
Zigbee EZSP Host Applications. If the buffer overflows, stack corruption is possible. In certain
conditions, this could lead to arbitrary code execution. Access to a network key is required to exploit this vulnerability.
Severity: 9.4 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "17 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-8414 - Zigbee Green Power Host Buffer Overflow Vulnerability",
"Content": "CVE ID : CVE-2025-8414
Published : Oct. 17, 2025, 4:15 p.m. | 15 minutes ago
Description : Due to improper input validation, a buffer overflow vulnerability is present in
Zigbee EZSP Host Applications. If the buffer overflows, stack corruption is possible. In certain
conditions, this could lead to arbitrary code execution. Access to a network key is required to exploit this vulnerability.
Severity: 9.4 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "17 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-62353 - Windsurf IDE Path Traversal Vulnerability",
"Content": "CVE ID : CVE-2025-62353
Published : Oct. 17, 2025, 4:15 p.m. | 15 minutes ago
Description : A path traversal vulnerability in all versions of the Windsurf IDE enables a threat actor to read and write arbitrary local files in and outside of current projects on an end userโs system. The vulnerability can be reached directly and through indirect prompt injection.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "17 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-62353 - Windsurf IDE Path Traversal Vulnerability",
"Content": "CVE ID : CVE-2025-62353
Published : Oct. 17, 2025, 4:15 p.m. | 15 minutes ago
Description : A path traversal vulnerability in all versions of the Windsurf IDE enables a threat actor to read and write arbitrary local files in and outside of current projects on an end userโs system. The vulnerability can be reached directly and through indirect prompt injection.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "17 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-62356 - Qodo Qodo Gen IDE Path Traversal Vulnerability",
"Content": "CVE ID : CVE-2025-62356
Published : Oct. 17, 2025, 4:15 p.m. | 15 minutes ago
Description : A path traversal vulnerability in all versions of the Qodo Qodo Gen IDE enables a threat actor to read arbitrary local files in and outside of current projects on an end userโs system. The vulnerability can be reached directly and through indirect prompt injection.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "17 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-62356 - Qodo Qodo Gen IDE Path Traversal Vulnerability",
"Content": "CVE ID : CVE-2025-62356
Published : Oct. 17, 2025, 4:15 p.m. | 15 minutes ago
Description : A path traversal vulnerability in all versions of the Qodo Qodo Gen IDE enables a threat actor to read arbitrary local files in and outside of current projects on an end userโs system. The vulnerability can be reached directly and through indirect prompt injection.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "17 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-57567 - PluXml CMS Theme Editor Remote Code Execution (RCE)",
"Content": "CVE ID : CVE-2025-57567
Published : Oct. 17, 2025, 4:15 p.m. | 15 minutes ago
Description : A remote code execution (RCE) vulnerability exists in the PluXml CMS theme editor, specifically in the minify.php file located under the default theme directory (/themes/defaut/css/minify.php). An authenticated administrator user can overwrite this file with arbitrary PHP code via the admin panel, enabling execution of system commands.
Severity: 9.1 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "17 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-57567 - PluXml CMS Theme Editor Remote Code Execution (RCE)",
"Content": "CVE ID : CVE-2025-57567
Published : Oct. 17, 2025, 4:15 p.m. | 15 minutes ago
Description : A remote code execution (RCE) vulnerability exists in the PluXml CMS theme editor, specifically in the minify.php file located under the default theme directory (/themes/defaut/css/minify.php). An authenticated administrator user can overwrite this file with arbitrary PHP code via the admin panel, enabling execution of system commands.
Severity: 9.1 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "17 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-58747 - Dify MCP OAuth Flow Vulnerable to XSS",
"Content": "CVE ID : CVE-2025-58747
Published : Oct. 17, 2025, 4:15 p.m. | 15 minutes ago
Description : Dify is an LLM application development platform. In Dify versions through 1.9.1, the MCP OAuth component is vulnerable to cross-site scripting when a victim connects to an attacker-controlled remote MCP server. The vulnerability exists in the OAuth flow implementation where the authorization_url provided by a remote MCP server is directly passed to window.open without validation or sanitization. An attacker can craft a malicious MCP server that returns a JavaScript URI (such as javascript:alert(1)) in the authorization_url field, which is then executed when the victim attempts to connect to the MCP server. This allows the attacker to execute arbitrary JavaScript in the context of the Dify application.
Severity: 2.0 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "17 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-58747 - Dify MCP OAuth Flow Vulnerable to XSS",
"Content": "CVE ID : CVE-2025-58747
Published : Oct. 17, 2025, 4:15 p.m. | 15 minutes ago
Description : Dify is an LLM application development platform. In Dify versions through 1.9.1, the MCP OAuth component is vulnerable to cross-site scripting when a victim connects to an attacker-controlled remote MCP server. The vulnerability exists in the OAuth flow implementation where the authorization_url provided by a remote MCP server is directly passed to window.open without validation or sanitization. An attacker can craft a malicious MCP server that returns a JavaScript URI (such as javascript:alert(1)) in the authorization_url field, which is then executed when the victim attempts to connect to the MCP server. This allows the attacker to execute arbitrary JavaScript in the context of the Dify application.
Severity: 2.0 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "17 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-59043 - OpenBao vulnerable to denial of service via malicious JSON request processing",
"Content": "CVE ID : CVE-2025-59043
Published : Oct. 17, 2025, 4:15 p.m. | 15 minutes ago
Description : OpenBao is an open source identity-based secrets management system. In OpenBao versions prior to 2.4.1, JSON objects after decoding may use significantly more memory than their serialized version. It is possible to craft a JSON payload to maximize the factor between serialized memory usage and deserialized memory usage, similar to a zip bomb, with factors reaching approximately 35. This can be used to circumvent the max_request_size configuration parameter which is intended to protect against denial of service attacks. The request body is parsed into a map very early in the request handling chain before authentication, which means an unauthenticated attacker can send a specifically crafted JSON object and cause an out-of-memory crash. Additionally, for requests with large numbers of strings, the audit subsystem can consume large quantities of CPU. The vulnerability is fixed in version 2.4.1.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "17 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-59043 - OpenBao vulnerable to denial of service via malicious JSON request processing",
"Content": "CVE ID : CVE-2025-59043
Published : Oct. 17, 2025, 4:15 p.m. | 15 minutes ago
Description : OpenBao is an open source identity-based secrets management system. In OpenBao versions prior to 2.4.1, JSON objects after decoding may use significantly more memory than their serialized version. It is possible to craft a JSON payload to maximize the factor between serialized memory usage and deserialized memory usage, similar to a zip bomb, with factors reaching approximately 35. This can be used to circumvent the max_request_size configuration parameter which is intended to protect against denial of service attacks. The request body is parsed into a map very early in the request handling chain before authentication, which means an unauthenticated attacker can send a specifically crafted JSON object and cause an out-of-memory crash. Additionally, for requests with large numbers of strings, the audit subsystem can consume large quantities of CPU. The vulnerability is fixed in version 2.4.1.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "17 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-60279 - Illia Cloud illia-Builder SSRF Vulnerability",
"Content": "CVE ID : CVE-2025-60279
Published : Oct. 17, 2025, 4:15 p.m. | 15 minutes ago
Description : A server-side request forgery (SSRF) vulnerability in Illia Cloud illia-Builder before v4.8.5 allows authenticated users to send arbitrary requests to internal services via the API. An attacker can leverage this to enumerate open ports based on response discrepancies and interact with internal services.
Severity: 9.6 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "17 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-60279 - Illia Cloud illia-Builder SSRF Vulnerability",
"Content": "CVE ID : CVE-2025-60279
Published : Oct. 17, 2025, 4:15 p.m. | 15 minutes ago
Description : A server-side request forgery (SSRF) vulnerability in Illia Cloud illia-Builder before v4.8.5 allows authenticated users to send arbitrary requests to internal services via the API. An attacker can leverage this to enumerate open ports based on response discrepancies and interact with internal services.
Severity: 9.6 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "17 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-11905 - yanyutao0402 ChanCMS gather.js getArticle code injection",
"Content": "CVE ID : CVE-2025-11905
Published : Oct. 17, 2025, 4:15 p.m. | 15 minutes ago
Description : A vulnerability was found in yanyutao0402 ChanCMS up to 3.3.2. This vulnerability affects the function getArticle of the file app\modules\cms\controller\gather.js. The manipulation results in code injection. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "17 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-11905 - yanyutao0402 ChanCMS gather.js getArticle code injection",
"Content": "CVE ID : CVE-2025-11905
Published : Oct. 17, 2025, 4:15 p.m. | 15 minutes ago
Description : A vulnerability was found in yanyutao0402 ChanCMS up to 3.3.2. This vulnerability affects the function getArticle of the file app\modules\cms\controller\gather.js. The manipulation results in code injection. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "17 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-26625 - Git LFS may write to arbitrary files via crafted symlinks",
"Content": "CVE ID : CVE-2025-26625
Published : Oct. 17, 2025, 4:15 p.m. | 15 minutes ago
Description : Git LFS is a Git extension for versioning large files. In Git LFS versions 0.5.2 through 3.7.0, when populating a Git repository's working tree with the contents of Git LFS objects, certain Git LFS commands may write to files visible outside the current Git working tree if symbolic or hard links exist which collide with the paths of files tracked by Git LFS. The git lfs checkout and git lfs pull commands do not check for symbolic links before writing to files in the working tree, allowing an attacker to craft a repository containing symbolic or hard links that cause Git LFS to write to arbitrary file system locations accessible to the user running these commands. As well, when the git lfs checkout and git lfs pull commands are run in a bare repository, they could write to files visible outside the repository. The vulnerability is fixed in version 3.7.1. As a workaround, support for symlinks in Git may be disabled by setting the core.symlinks configuration option to false, after which further clones and fetches will not create symbolic links. However, any symbolic or hard links in existing repositories will still provide the opportunity for Git LFS to write to their targets.
Severity: 8.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "17 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-26625 - Git LFS may write to arbitrary files via crafted symlinks",
"Content": "CVE ID : CVE-2025-26625
Published : Oct. 17, 2025, 4:15 p.m. | 15 minutes ago
Description : Git LFS is a Git extension for versioning large files. In Git LFS versions 0.5.2 through 3.7.0, when populating a Git repository's working tree with the contents of Git LFS objects, certain Git LFS commands may write to files visible outside the current Git working tree if symbolic or hard links exist which collide with the paths of files tracked by Git LFS. The git lfs checkout and git lfs pull commands do not check for symbolic links before writing to files in the working tree, allowing an attacker to craft a repository containing symbolic or hard links that cause Git LFS to write to arbitrary file system locations accessible to the user running these commands. As well, when the git lfs checkout and git lfs pull commands are run in a bare repository, they could write to files visible outside the repository. The vulnerability is fixed in version 3.7.1. As a workaround, support for symlinks in Git may be disabled by setting the core.symlinks configuration option to false, after which further clones and fetches will not create symbolic links. However, any symbolic or hard links in existing repositories will still provide the opportunity for Git LFS to write to their targets.
Severity: 8.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "17 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-49655 - Keras TorchModuleWrapper Deserialization Vulnerability",
"Content": "CVE ID : CVE-2025-49655
Published : Oct. 17, 2025, 4:15 p.m. | 15 minutes ago
Description : Deserialization of untrusted data can occur in versions of the Keras framework running versions 3.11.0 up to but not including 3.11.3, enabling a maliciously uploaded Keras file containing a TorchModuleWrapper class to run arbitrary code on an end userโs system when loaded despite safe mode being enabled. The vulnerability can be triggered through both local and remote files.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "17 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-49655 - Keras TorchModuleWrapper Deserialization Vulnerability",
"Content": "CVE ID : CVE-2025-49655
Published : Oct. 17, 2025, 4:15 p.m. | 15 minutes ago
Description : Deserialization of untrusted data can occur in versions of the Keras framework running versions 3.11.0 up to but not including 3.11.3, enabling a maliciously uploaded Keras file containing a TorchModuleWrapper class to run arbitrary code on an end userโs system when loaded despite safe mode being enabled. The vulnerability can be triggered through both local and remote files.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "17 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-60361 - Radare2 Bochs Open Memory Leak",
"Content": "CVE ID : CVE-2025-60361
Published : Oct. 17, 2025, 3:15 p.m. | 1 hour, 15 minutes ago
Description : radare2 v5.9.8 and before contains a memory leak in the function bochs_open.
Severity: 2.8 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "17 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-60361 - Radare2 Bochs Open Memory Leak",
"Content": "CVE ID : CVE-2025-60361
Published : Oct. 17, 2025, 3:15 p.m. | 1 hour, 15 minutes ago
Description : radare2 v5.9.8 and before contains a memory leak in the function bochs_open.
Severity: 2.8 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "17 Oct 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น