CVE-2025-63685 - Quark Cloud Drive DLL Hijacking
CVE ID : CVE-2025-63685
Published : Nov. 20, 2025, 9:16 p.m. | 3 hours, 13 minutes ago
Description : Quark Cloud Drive v3.23.2 has a DLL Hijacking vulnerability. This vulnerability stems from the insecure loading of system libraries. Specifically, the application does not validate the path or signature of [regsvr32.exe] it loads. An attacker can place a crafted malicious DLL in the application's startup directory, which will be loaded and executed when the user launches the program.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-63685
Published : Nov. 20, 2025, 9:16 p.m. | 3 hours, 13 minutes ago
Description : Quark Cloud Drive v3.23.2 has a DLL Hijacking vulnerability. This vulnerability stems from the insecure loading of system libraries. Specifically, the application does not validate the path or signature of [regsvr32.exe] it loads. An attacker can place a crafted malicious DLL in the application's startup directory, which will be loaded and executed when the user launches the program.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-63807 - "Blogin Weak Verification Code Brute-Force Authentication Bypass"
CVE ID : CVE-2025-63807
Published : Nov. 20, 2025, 9:16 p.m. | 3 hours, 13 minutes ago
Description : An issue was discovered in weijiang1994 university-bbs (aka Blogin) in commit 9e06bab430bfc729f27b4284ba7570db3b11ce84 (2025-01-13). A weak verification code generation mechanism combined with missing rate limiting allows attackers to perform brute-force attacks on verification codes without authentication. Successful exploitation may result in account takeover via password reset or other authentication bypass methods.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-63807
Published : Nov. 20, 2025, 9:16 p.m. | 3 hours, 13 minutes ago
Description : An issue was discovered in weijiang1994 university-bbs (aka Blogin) in commit 9e06bab430bfc729f27b4284ba7570db3b11ce84 (2025-01-13). A weak verification code generation mechanism combined with missing rate limiting allows attackers to perform brute-force attacks on verification codes without authentication. Successful exploitation may result in account takeover via password reset or other authentication bypass methods.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-64770 - Missing Authentication for ONVIF in iCam Cameras
CVE ID : CVE-2025-64770
Published : Nov. 20, 2025, 9:16 p.m. | 3 hours, 13 minutes ago
Description : The affected products allow unauthenticated access to Open Network Video Interface Forum (ONVIF) services, which may allow an attacker unauthorized access to camera configuration information.
Severity: 7.0 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-64770
Published : Nov. 20, 2025, 9:16 p.m. | 3 hours, 13 minutes ago
Description : The affected products allow unauthenticated access to Open Network Video Interface Forum (ONVIF) services, which may allow an attacker unauthorized access to camera configuration information.
Severity: 7.0 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13087 - Command Injection in Opto22 Groov REST API
CVE ID : CVE-2025-13087
Published : Nov. 20, 2025, 10:15 p.m. | 2 hours, 13 minutes ago
Description : A vulnerability exists in the Opto22 Groov Manage REST API on GRV-EPIC and groov RIO Products that allows remote code execution with root privileges. When a POST request is executed against the vulnerable endpoint, the application reads certain header details and unsafely uses these values to build commands, allowing an attacker with administrative privileges to inject arbitrary commands that execute as root.
Severity: 6.2 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13087
Published : Nov. 20, 2025, 10:15 p.m. | 2 hours, 13 minutes ago
Description : A vulnerability exists in the Opto22 Groov Manage REST API on GRV-EPIC and groov RIO Products that allows remote code execution with root privileges. When a POST request is executed against the vulnerable endpoint, the application reads certain header details and unsafely uses these values to build commands, allowing an attacker with administrative privileges to inject arbitrary commands that execute as root.
Severity: 6.2 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-36153 - IBM Concert Cross-Site Scripting
CVE ID : CVE-2025-36153
Published : Nov. 20, 2025, 10:15 p.m. | 2 hours, 13 minutes ago
Description : IBM Concert 1.0.0 through 2.0.0 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-36153
Published : Nov. 20, 2025, 10:15 p.m. | 2 hours, 13 minutes ago
Description : IBM Concert 1.0.0 through 2.0.0 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-36158 - IBM Concert Information Disclosure
CVE ID : CVE-2025-36158
Published : Nov. 20, 2025, 10:15 p.m. | 2 hours, 13 minutes ago
Description : IBM Concert 1.0.0 through 2.0.0 could allow a local user with specific permission to obtain sensitive information from files due to uncontrolled recursive directory copying.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-36158
Published : Nov. 20, 2025, 10:15 p.m. | 2 hours, 13 minutes ago
Description : IBM Concert 1.0.0 through 2.0.0 could allow a local user with specific permission to obtain sensitive information from files due to uncontrolled recursive directory copying.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-36159 - IBM Concert Improper Log Neutralization
CVE ID : CVE-2025-36159
Published : Nov. 20, 2025, 10:15 p.m. | 2 hours, 13 minutes ago
Description : IBM Concert 1.0.0 through 2.0.0 could allow a local user to forge log files to impersonate other users or hide their identity due to improper neutralization of output.
Severity: 6.2 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-36159
Published : Nov. 20, 2025, 10:15 p.m. | 2 hours, 13 minutes ago
Description : IBM Concert 1.0.0 through 2.0.0 could allow a local user to forge log files to impersonate other users or hide their identity due to improper neutralization of output.
Severity: 6.2 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-36160 - IBM Concert Information Disclosure
CVE ID : CVE-2025-36160
Published : Nov. 20, 2025, 10:15 p.m. | 2 hours, 13 minutes ago
Description : IBM Concert 1.0.0 through 2.0.0 could disclose sensitive server information from HTTP response headers that could aid in further attacks against the system.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-36160
Published : Nov. 20, 2025, 10:15 p.m. | 2 hours, 13 minutes ago
Description : IBM Concert 1.0.0 through 2.0.0 could disclose sensitive server information from HTTP response headers that could aid in further attacks against the system.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-61138 - Qlik Sense Enterprise Unauthenticated Directory Information Disclosure
CVE ID : CVE-2025-61138
Published : Nov. 20, 2025, 10:16 p.m. | 2 hours, 13 minutes ago
Description : Qlik Sense Enterprise v14.212.13 was discovered to contain an information leak via the /dev-hub/ directory.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-61138
Published : Nov. 20, 2025, 10:16 p.m. | 2 hours, 13 minutes ago
Description : Qlik Sense Enterprise v14.212.13 was discovered to contain an information leak via the /dev-hub/ directory.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13484 - Campcodes Complete Online Beauty Parlor Management System customer-list.php cross site scripting
CVE ID : CVE-2025-13484
Published : Nov. 20, 2025, 11:15 p.m. | 1 hour, 14 minutes ago
Description : A vulnerability was identified in Campcodes Complete Online Beauty Parlor Management System 1.0. This vulnerability affects unknown code of the file /admin/customer-list.php. The manipulation of the argument Name leads to cross site scripting. The attack may be initiated remotely. The exploit is publicly available and might be used.
Severity: 4.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13484
Published : Nov. 20, 2025, 11:15 p.m. | 1 hour, 14 minutes ago
Description : A vulnerability was identified in Campcodes Complete Online Beauty Parlor Management System 1.0. This vulnerability affects unknown code of the file /admin/customer-list.php. The manipulation of the argument Name leads to cross site scripting. The attack may be initiated remotely. The exploit is publicly available and might be used.
Severity: 4.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-36072 - IBM webMethods Integration Deserialization
CVE ID : CVE-2025-36072
Published : Nov. 20, 2025, 11:15 p.m. | 1 hour, 13 minutes ago
Description : IBM webMethods Integration 10.11 through 10.11_Core_Fix22, 10.15 through 10.15_Core_Fix22, and 11.1 through 11.1_Core_Fix6 IBM webMethods Integration allow an authenticated user to execute arbitrary code on the system, caused by the deserialization of untrusted object graphs data.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-36072
Published : Nov. 20, 2025, 11:15 p.m. | 1 hour, 13 minutes ago
Description : IBM webMethods Integration 10.11 through 10.11_Core_Fix22, 10.15 through 10.15_Core_Fix22, and 11.1 through 11.1_Core_Fix6 IBM webMethods Integration allow an authenticated user to execute arbitrary code on the system, caused by the deserialization of untrusted object graphs data.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-49752 - Azure Bastion Elevation of Privilege Vulnerability
CVE ID : CVE-2025-49752
Published : Nov. 20, 2025, 11:15 p.m. | 1 hour, 13 minutes ago
Description : Azure Bastion Elevation of Privilege Vulnerability
Severity: 10.0 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-49752
Published : Nov. 20, 2025, 11:15 p.m. | 1 hour, 13 minutes ago
Description : Azure Bastion Elevation of Privilege Vulnerability
Severity: 10.0 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-59245 - Microsoft SharePoint Online Elevation of Privilege Vulnerability
CVE ID : CVE-2025-59245
Published : Nov. 20, 2025, 11:15 p.m. | 1 hour, 13 minutes ago
Description : Microsoft SharePoint Online Elevation of Privilege Vulnerability
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-59245
Published : Nov. 20, 2025, 11:15 p.m. | 1 hour, 13 minutes ago
Description : Microsoft SharePoint Online Elevation of Privilege Vulnerability
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-62207 - Azure Monitor Elevation of Privilege Vulnerability
CVE ID : CVE-2025-62207
Published : Nov. 20, 2025, 11:15 p.m. | 1 hour, 13 minutes ago
Description : Azure Monitor Elevation of Privilege Vulnerability
Severity: 8.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-62207
Published : Nov. 20, 2025, 11:15 p.m. | 1 hour, 13 minutes ago
Description : Azure Monitor Elevation of Privilege Vulnerability
Severity: 8.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-62459 - Microsoft Defender Portal Spoofing Vulnerability
CVE ID : CVE-2025-62459
Published : Nov. 20, 2025, 11:15 p.m. | 1 hour, 13 minutes ago
Description : Microsoft Defender Portal Spoofing Vulnerability
Severity: 8.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-62459
Published : Nov. 20, 2025, 11:15 p.m. | 1 hour, 13 minutes ago
Description : Microsoft Defender Portal Spoofing Vulnerability
Severity: 8.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-64655 - Dynamics OmniChannel SDK Storage Containers Elevation of Privilege Vulnerability
CVE ID : CVE-2025-64655
Published : Nov. 20, 2025, 11:15 p.m. | 1 hour, 13 minutes ago
Description : Improper authorization in Dynamics OmniChannel SDK Storage Containers allows an unauthorized attacker to elevate privileges over a network.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-64655
Published : Nov. 20, 2025, 11:15 p.m. | 1 hour, 13 minutes ago
Description : Improper authorization in Dynamics OmniChannel SDK Storage Containers allows an unauthorized attacker to elevate privileges over a network.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-64660 - GitHub Copilot and Visual Studio Code Security Feature Bypass Vulnerability
CVE ID : CVE-2025-64660
Published : Nov. 20, 2025, 11:15 p.m. | 1 hour, 13 minutes ago
Description : Improper access control in GitHub Copilot and Visual Studio Code allows an authorized attacker to bypass a security feature over a network.
Severity: 5.7 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-64660
Published : Nov. 20, 2025, 11:15 p.m. | 1 hour, 13 minutes ago
Description : Improper access control in GitHub Copilot and Visual Studio Code allows an authorized attacker to bypass a security feature over a network.
Severity: 5.7 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13485 - itsourcecode Online File Management System ajax.php sql injection
CVE ID : CVE-2025-13485
Published : Nov. 21, 2025, 12:02 a.m. | 27 minutes ago
Description : A security flaw has been discovered in itsourcecode Online File Management System 1.0. This issue affects some unknown processing of the file /ajax.php?action=login. The manipulation of the argument Username results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be exploited.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13485
Published : Nov. 21, 2025, 12:02 a.m. | 27 minutes ago
Description : A security flaw has been discovered in itsourcecode Online File Management System 1.0. This issue affects some unknown processing of the file /ajax.php?action=login. The manipulation of the argument Username results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be exploited.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-62164 - VLLM deserialization vulnerability leading to DoS and potential RCE
CVE ID : CVE-2025-62164
Published : Nov. 21, 2025, 2:15 a.m. | 14 minutes ago
Description : vLLM is an inference and serving engine for large language models (LLMs). From versions 0.10.2 to before 0.11.1, a memory corruption vulnerability could lead to a crash (denial-of-service) and potentially remote code execution (RCE), exists in the Completions API endpoint. When processing user-supplied prompt embeddings, the endpoint loads serialized tensors using torch.load() without sufficient validation. Due to a change introduced in PyTorch 2.8.0, sparse tensor integrity checks are disabled by default. As a result, maliciously crafted tensors can bypass internal bounds checks and trigger an out-of-bounds memory write during the call to to_dense(). This memory corruption can crash vLLM and potentially lead to code execution on the server hosting vLLM. This issue has been patched in version 0.11.1.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-62164
Published : Nov. 21, 2025, 2:15 a.m. | 14 minutes ago
Description : vLLM is an inference and serving engine for large language models (LLMs). From versions 0.10.2 to before 0.11.1, a memory corruption vulnerability could lead to a crash (denial-of-service) and potentially remote code execution (RCE), exists in the Completions API endpoint. When processing user-supplied prompt embeddings, the endpoint loads serialized tensors using torch.load() without sufficient validation. Due to a change introduced in PyTorch 2.8.0, sparse tensor integrity checks are disabled by default. As a result, maliciously crafted tensors can bypass internal bounds checks and trigger an out-of-bounds memory write during the call to to_dense(). This memory corruption can crash vLLM and potentially lead to code execution on the server hosting vLLM. This issue has been patched in version 0.11.1.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-62372 - vLLM vulnerable to DoS with incorrect shape of multimodal embedding inputs
CVE ID : CVE-2025-62372
Published : Nov. 21, 2025, 2:15 a.m. | 14 minutes ago
Description : vLLM is an inference and serving engine for large language models (LLMs). From version 0.5.5 to before 0.11.1, users can crash the vLLM engine serving multimodal models by passing multimodal embedding inputs with correct ndim but incorrect shape (e.g. hidden dimension is wrong), regardless of whether the model is intended to support such inputs (as defined in the Supported Models page). This issue has been patched in version 0.11.1.
Severity: 8.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-62372
Published : Nov. 21, 2025, 2:15 a.m. | 14 minutes ago
Description : vLLM is an inference and serving engine for large language models (LLMs). From version 0.5.5 to before 0.11.1, users can crash the vLLM engine serving multimodal models by passing multimodal embedding inputs with correct ndim but incorrect shape (e.g. hidden dimension is wrong), regardless of whether the model is intended to support such inputs (as defined in the Supported Models page). This issue has been patched in version 0.11.1.
Severity: 8.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-62426 - vLLM vulnerable to DoS via large Chat Completion or Tokenization requests with specially crafted `chat_template_kwargs`
CVE ID : CVE-2025-62426
Published : Nov. 21, 2025, 2:15 a.m. | 14 minutes ago
Description : vLLM is an inference and serving engine for large language models (LLMs). From version 0.5.5 to before 0.11.1, the /v1/chat/completions and /tokenize endpoints allow a chat_template_kwargs request parameter that is used in the code before it is properly validated against the chat template. With the right chat_template_kwargs parameters, it is possible to block processing of the API server for long periods of time, delaying all other requests. This issue has been patched in version 0.11.1.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-62426
Published : Nov. 21, 2025, 2:15 a.m. | 14 minutes ago
Description : vLLM is an inference and serving engine for large language models (LLMs). From version 0.5.5 to before 0.11.1, the /v1/chat/completions and /tokenize endpoints allow a chat_template_kwargs request parameter that is used in the code before it is properly validated against the chat template. With the right chat_template_kwargs parameters, it is possible to block processing of the API server for long periods of time, delaying all other requests. This issue has been patched in version 0.11.1.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...