CVE-2025-36160 - IBM Concert Information Disclosure
CVE ID : CVE-2025-36160
Published : Nov. 20, 2025, 10:15 p.m. | 2 hours, 13 minutes ago
Description : IBM Concert 1.0.0 through 2.0.0 could disclose sensitive server information from HTTP response headers that could aid in further attacks against the system.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-36160
Published : Nov. 20, 2025, 10:15 p.m. | 2 hours, 13 minutes ago
Description : IBM Concert 1.0.0 through 2.0.0 could disclose sensitive server information from HTTP response headers that could aid in further attacks against the system.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-61138 - Qlik Sense Enterprise Unauthenticated Directory Information Disclosure
CVE ID : CVE-2025-61138
Published : Nov. 20, 2025, 10:16 p.m. | 2 hours, 13 minutes ago
Description : Qlik Sense Enterprise v14.212.13 was discovered to contain an information leak via the /dev-hub/ directory.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-61138
Published : Nov. 20, 2025, 10:16 p.m. | 2 hours, 13 minutes ago
Description : Qlik Sense Enterprise v14.212.13 was discovered to contain an information leak via the /dev-hub/ directory.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13484 - Campcodes Complete Online Beauty Parlor Management System customer-list.php cross site scripting
CVE ID : CVE-2025-13484
Published : Nov. 20, 2025, 11:15 p.m. | 1 hour, 14 minutes ago
Description : A vulnerability was identified in Campcodes Complete Online Beauty Parlor Management System 1.0. This vulnerability affects unknown code of the file /admin/customer-list.php. The manipulation of the argument Name leads to cross site scripting. The attack may be initiated remotely. The exploit is publicly available and might be used.
Severity: 4.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13484
Published : Nov. 20, 2025, 11:15 p.m. | 1 hour, 14 minutes ago
Description : A vulnerability was identified in Campcodes Complete Online Beauty Parlor Management System 1.0. This vulnerability affects unknown code of the file /admin/customer-list.php. The manipulation of the argument Name leads to cross site scripting. The attack may be initiated remotely. The exploit is publicly available and might be used.
Severity: 4.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-36072 - IBM webMethods Integration Deserialization
CVE ID : CVE-2025-36072
Published : Nov. 20, 2025, 11:15 p.m. | 1 hour, 13 minutes ago
Description : IBM webMethods Integration 10.11 through 10.11_Core_Fix22, 10.15 through 10.15_Core_Fix22, and 11.1 through 11.1_Core_Fix6 IBM webMethods Integration allow an authenticated user to execute arbitrary code on the system, caused by the deserialization of untrusted object graphs data.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-36072
Published : Nov. 20, 2025, 11:15 p.m. | 1 hour, 13 minutes ago
Description : IBM webMethods Integration 10.11 through 10.11_Core_Fix22, 10.15 through 10.15_Core_Fix22, and 11.1 through 11.1_Core_Fix6 IBM webMethods Integration allow an authenticated user to execute arbitrary code on the system, caused by the deserialization of untrusted object graphs data.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-49752 - Azure Bastion Elevation of Privilege Vulnerability
CVE ID : CVE-2025-49752
Published : Nov. 20, 2025, 11:15 p.m. | 1 hour, 13 minutes ago
Description : Azure Bastion Elevation of Privilege Vulnerability
Severity: 10.0 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-49752
Published : Nov. 20, 2025, 11:15 p.m. | 1 hour, 13 minutes ago
Description : Azure Bastion Elevation of Privilege Vulnerability
Severity: 10.0 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-59245 - Microsoft SharePoint Online Elevation of Privilege Vulnerability
CVE ID : CVE-2025-59245
Published : Nov. 20, 2025, 11:15 p.m. | 1 hour, 13 minutes ago
Description : Microsoft SharePoint Online Elevation of Privilege Vulnerability
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-59245
Published : Nov. 20, 2025, 11:15 p.m. | 1 hour, 13 minutes ago
Description : Microsoft SharePoint Online Elevation of Privilege Vulnerability
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-62207 - Azure Monitor Elevation of Privilege Vulnerability
CVE ID : CVE-2025-62207
Published : Nov. 20, 2025, 11:15 p.m. | 1 hour, 13 minutes ago
Description : Azure Monitor Elevation of Privilege Vulnerability
Severity: 8.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-62207
Published : Nov. 20, 2025, 11:15 p.m. | 1 hour, 13 minutes ago
Description : Azure Monitor Elevation of Privilege Vulnerability
Severity: 8.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-62459 - Microsoft Defender Portal Spoofing Vulnerability
CVE ID : CVE-2025-62459
Published : Nov. 20, 2025, 11:15 p.m. | 1 hour, 13 minutes ago
Description : Microsoft Defender Portal Spoofing Vulnerability
Severity: 8.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-62459
Published : Nov. 20, 2025, 11:15 p.m. | 1 hour, 13 minutes ago
Description : Microsoft Defender Portal Spoofing Vulnerability
Severity: 8.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-64655 - Dynamics OmniChannel SDK Storage Containers Elevation of Privilege Vulnerability
CVE ID : CVE-2025-64655
Published : Nov. 20, 2025, 11:15 p.m. | 1 hour, 13 minutes ago
Description : Improper authorization in Dynamics OmniChannel SDK Storage Containers allows an unauthorized attacker to elevate privileges over a network.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-64655
Published : Nov. 20, 2025, 11:15 p.m. | 1 hour, 13 minutes ago
Description : Improper authorization in Dynamics OmniChannel SDK Storage Containers allows an unauthorized attacker to elevate privileges over a network.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-64660 - GitHub Copilot and Visual Studio Code Security Feature Bypass Vulnerability
CVE ID : CVE-2025-64660
Published : Nov. 20, 2025, 11:15 p.m. | 1 hour, 13 minutes ago
Description : Improper access control in GitHub Copilot and Visual Studio Code allows an authorized attacker to bypass a security feature over a network.
Severity: 5.7 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-64660
Published : Nov. 20, 2025, 11:15 p.m. | 1 hour, 13 minutes ago
Description : Improper access control in GitHub Copilot and Visual Studio Code allows an authorized attacker to bypass a security feature over a network.
Severity: 5.7 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13485 - itsourcecode Online File Management System ajax.php sql injection
CVE ID : CVE-2025-13485
Published : Nov. 21, 2025, 12:02 a.m. | 27 minutes ago
Description : A security flaw has been discovered in itsourcecode Online File Management System 1.0. This issue affects some unknown processing of the file /ajax.php?action=login. The manipulation of the argument Username results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be exploited.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13485
Published : Nov. 21, 2025, 12:02 a.m. | 27 minutes ago
Description : A security flaw has been discovered in itsourcecode Online File Management System 1.0. This issue affects some unknown processing of the file /ajax.php?action=login. The manipulation of the argument Username results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be exploited.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-62164 - VLLM deserialization vulnerability leading to DoS and potential RCE
CVE ID : CVE-2025-62164
Published : Nov. 21, 2025, 2:15 a.m. | 14 minutes ago
Description : vLLM is an inference and serving engine for large language models (LLMs). From versions 0.10.2 to before 0.11.1, a memory corruption vulnerability could lead to a crash (denial-of-service) and potentially remote code execution (RCE), exists in the Completions API endpoint. When processing user-supplied prompt embeddings, the endpoint loads serialized tensors using torch.load() without sufficient validation. Due to a change introduced in PyTorch 2.8.0, sparse tensor integrity checks are disabled by default. As a result, maliciously crafted tensors can bypass internal bounds checks and trigger an out-of-bounds memory write during the call to to_dense(). This memory corruption can crash vLLM and potentially lead to code execution on the server hosting vLLM. This issue has been patched in version 0.11.1.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-62164
Published : Nov. 21, 2025, 2:15 a.m. | 14 minutes ago
Description : vLLM is an inference and serving engine for large language models (LLMs). From versions 0.10.2 to before 0.11.1, a memory corruption vulnerability could lead to a crash (denial-of-service) and potentially remote code execution (RCE), exists in the Completions API endpoint. When processing user-supplied prompt embeddings, the endpoint loads serialized tensors using torch.load() without sufficient validation. Due to a change introduced in PyTorch 2.8.0, sparse tensor integrity checks are disabled by default. As a result, maliciously crafted tensors can bypass internal bounds checks and trigger an out-of-bounds memory write during the call to to_dense(). This memory corruption can crash vLLM and potentially lead to code execution on the server hosting vLLM. This issue has been patched in version 0.11.1.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-62372 - vLLM vulnerable to DoS with incorrect shape of multimodal embedding inputs
CVE ID : CVE-2025-62372
Published : Nov. 21, 2025, 2:15 a.m. | 14 minutes ago
Description : vLLM is an inference and serving engine for large language models (LLMs). From version 0.5.5 to before 0.11.1, users can crash the vLLM engine serving multimodal models by passing multimodal embedding inputs with correct ndim but incorrect shape (e.g. hidden dimension is wrong), regardless of whether the model is intended to support such inputs (as defined in the Supported Models page). This issue has been patched in version 0.11.1.
Severity: 8.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-62372
Published : Nov. 21, 2025, 2:15 a.m. | 14 minutes ago
Description : vLLM is an inference and serving engine for large language models (LLMs). From version 0.5.5 to before 0.11.1, users can crash the vLLM engine serving multimodal models by passing multimodal embedding inputs with correct ndim but incorrect shape (e.g. hidden dimension is wrong), regardless of whether the model is intended to support such inputs (as defined in the Supported Models page). This issue has been patched in version 0.11.1.
Severity: 8.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-62426 - vLLM vulnerable to DoS via large Chat Completion or Tokenization requests with specially crafted `chat_template_kwargs`
CVE ID : CVE-2025-62426
Published : Nov. 21, 2025, 2:15 a.m. | 14 minutes ago
Description : vLLM is an inference and serving engine for large language models (LLMs). From version 0.5.5 to before 0.11.1, the /v1/chat/completions and /tokenize endpoints allow a chat_template_kwargs request parameter that is used in the code before it is properly validated against the chat template. With the right chat_template_kwargs parameters, it is possible to block processing of the API server for long periods of time, delaying all other requests. This issue has been patched in version 0.11.1.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-62426
Published : Nov. 21, 2025, 2:15 a.m. | 14 minutes ago
Description : vLLM is an inference and serving engine for large language models (LLMs). From version 0.5.5 to before 0.11.1, the /v1/chat/completions and /tokenize endpoints allow a chat_template_kwargs request parameter that is used in the code before it is properly validated against the chat template. With the right chat_template_kwargs parameters, it is possible to block processing of the API server for long periods of time, delaying all other requests. This issue has been patched in version 0.11.1.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-64751 - OpenFGA Improper Policy Enforcement
CVE ID : CVE-2025-64751
Published : Nov. 21, 2025, 2:15 a.m. | 14 minutes ago
Description : OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.4.0 to v1.11.0 ( openfga-0.1.34 <= Helm chart <= openfga-0.2.48, v.1.4.0 <= docker <= v.1.11.0) are vulnerable to improper policy enforcement when certain Check and ListObject calls are executed. This issue has been patched in version 1.11.1.
Severity: 5.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-64751
Published : Nov. 21, 2025, 2:15 a.m. | 14 minutes ago
Description : OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.4.0 to v1.11.0 ( openfga-0.1.34 <= Helm chart <= openfga-0.2.48, v.1.4.0 <= docker <= v.1.11.0) are vulnerable to improper policy enforcement when certain Check and ListObject calls are executed. This issue has been patched in version 1.11.1.
Severity: 5.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-64755 - @anthropic-ai/claude-code has Sed Command Validation Bypass that Allows Arbitrary File Writes
CVE ID : CVE-2025-64755
Published : Nov. 21, 2025, 2:15 a.m. | 14 minutes ago
Description : Claude Code is an agentic coding tool. Prior to version 2.0.31, due to an error in sed command parsing, it was possible to bypass the Claude Code read-only validation and write to arbitrary files on the host system. This issue has been patched in version 2.0.31.
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-64755
Published : Nov. 21, 2025, 2:15 a.m. | 14 minutes ago
Description : Claude Code is an agentic coding tool. Prior to version 2.0.31, due to an error in sed command parsing, it was possible to bypass the Claude Code read-only validation and write to arbitrary files on the host system. This issue has been patched in version 2.0.31.
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-64762 - authkit-nextjs may let session cookies be cached in CDNs
CVE ID : CVE-2025-64762
Published : Nov. 21, 2025, 2:15 a.m. | 14 minutes ago
Description : The AuthKit library for Next.js provides convenient helpers for authentication and session management using WorkOS & AuthKit with Next.js. In authkit-nextjs version 2.11.0 and below, authenticated responses do not defensively apply anti-caching headers. In environments where CDN caching is enabled, this can result in session tokens being included in cached responses and subsequently served to multiple users. Next.js applications deployed on Vercel are unaffected unless they manually enable CDN caching by setting cache headers on authenticated paths. Patched in authkit-nextjs 2.11.1, which applies anti-caching headers to all responses behind authentication.
Severity: 8.0 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-64762
Published : Nov. 21, 2025, 2:15 a.m. | 14 minutes ago
Description : The AuthKit library for Next.js provides convenient helpers for authentication and session management using WorkOS & AuthKit with Next.js. In authkit-nextjs version 2.11.0 and below, authenticated responses do not defensively apply anti-caching headers. In environments where CDN caching is enabled, this can result in session tokens being included in cached responses and subsequently served to multiple users. Next.js applications deployed on Vercel are unaffected unless they manually enable CDN caching by setting cache headers on authenticated paths. Patched in authkit-nextjs 2.11.1, which applies anti-caching headers to all responses behind authentication.
Severity: 8.0 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-64310 - Epson Projector WebConfig Brute Force Authentication Vulnerability
CVE ID : CVE-2025-64310
Published : Nov. 21, 2025, 3:16 a.m. | 3 hours, 15 minutes ago
Description : EPSON WebConfig and Epson Web Control for SEIKO EPSON Projector Products do not restrict excessive authentication attempts. An administrative user's password may be identified through a brute force attack.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-64310
Published : Nov. 21, 2025, 3:16 a.m. | 3 hours, 15 minutes ago
Description : EPSON WebConfig and Epson Web Control for SEIKO EPSON Projector Products do not restrict excessive authentication attempts. An administrative user's password may be identified through a brute force attack.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-11368 - LearnPress – WordPress LMS Plugin <= 4.2.9.4 - Missing Authorization to Unauthenticated Arbitrary Callback Execution to Information Exposure
CVE ID : CVE-2025-11368
Published : Nov. 21, 2025, 6:15 a.m. | 15 minutes ago
Description : The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 4.2.9.4. This is due to missing capability checks in the REST endpoint /wp-json/lp/v1/load_content_via_ajax which allows arbitrary callback execution of admin-only template methods. This makes it possible for unauthenticated attackers to retrieve admin curriculum HTML, quiz questions with correct answers, course materials, and other sensitive educational content via the REST API endpoint granted they can supply valid numeric IDs.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-11368
Published : Nov. 21, 2025, 6:15 a.m. | 15 minutes ago
Description : The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 4.2.9.4. This is due to missing capability checks in the REST endpoint /wp-json/lp/v1/load_content_via_ajax which allows arbitrary callback execution of admin-only template methods. This makes it possible for unauthenticated attackers to retrieve admin curriculum HTML, quiz questions with correct answers, course materials, and other sensitive educational content via the REST API endpoint granted they can supply valid numeric IDs.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-12022 - ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.1 - Missing Authorization to Authenticated (Subscriber+) Trash Restore
CVE ID : CVE-2025-12022
Published : Nov. 21, 2025, 6:15 a.m. | 15 minutes ago
Description : The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'eh_crm_settings_restore_trash' AJAX endpoint in all versions up to, and including, 3.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to restore all deleted tickets.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-12022
Published : Nov. 21, 2025, 6:15 a.m. | 15 minutes ago
Description : The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'eh_crm_settings_restore_trash' AJAX endpoint in all versions up to, and including, 3.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to restore all deleted tickets.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-12023 - ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.1 - Missing Authorization to Authenticated (Subscriber+) Ticket Restore
CVE ID : CVE-2025-12023
Published : Nov. 21, 2025, 6:15 a.m. | 15 minutes ago
Description : The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the eh_crm_restore_data() function in all versions up to, and including, 3.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to restore tickets.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-12023
Published : Nov. 21, 2025, 6:15 a.m. | 15 minutes ago
Description : The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the eh_crm_restore_data() function in all versions up to, and including, 3.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to restore tickets.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...