Overview CVE-2025-11368 is a medium-severity vulnerability affecting the LearnPress – WordPress LMS Plugin for WordPress, specifically versions up to and including 4.2.9.4. This vulnerability allows unauthenticated attackers to retrieve sensitive educational content, including curriculum HTML, quiz questions with correct answers, and course materials. This is possible due to missing capability checks within a specific REST API endpoint. Sites using vulnerable versions of LearnPress are strongly urged to update to the latest version as soon as possible. Technical Details The vulnerability lies in the REST endpoint /wp-json/lp/v1/load_content_via_ajax. Due to the absence of proper capability checks, an unauthenticated attacker can trigger arbitrary…

Overview A critical security vulnerability, identified as CVE-2025-64310, has been discovered in EPSON WebConfig and Epson Web Control, components used in SEIKO EPSON Projector Products. This flaw allows attackers to conduct brute-force attacks against administrative user passwords due to the lack of restrictions on excessive authentication attempts. This poses a significant risk to the confidentiality, integrity, and availability of affected Epson projectors. Technical Details The vulnerability stems from the fact that EPSON WebConfig and Epson Web Control do not implement sufficient measures to prevent or limit the number of authentication attempts. An attacker can repeatedly attempt to log in to…

Overview CVE-2025-64762 identifies a security vulnerability in the AuthKit library for Next.js, specifically in versions 2.11.0 and below. This library provides helpers for authentication and session management when used with WorkOS and Next.js. The vulnerability arises from a failure to implement anti-caching headers in authenticated responses, potentially leading to session tokens being cached by CDNs and inadvertently served to multiple users. Technical Details The AuthKit library, prior to version 2.11.1, did not include necessary anti-caching headers (such as Cache-Control: no-cache, no-store, must-revalidate) in responses that contained authentication or session information. In environments employing CDN caching, this omission could result in…

Overview CVE-2025-64755 identifies a security vulnerability in Claude Code, an agentic coding tool. Prior to version 2.0.31, a flaw in the parsing of sed commands allowed attackers to bypass the intended read-only validation mechanisms. This bypass could potentially lead to arbitrary file writes on the host system, posing a significant security risk. Technical Details The vulnerability stems from improper sanitization or validation of user-supplied input used in constructing sed commands. Specifically, a specially crafted input string could manipulate the sed command’s behavior, circumventing the intended restrictions and allowing write operations to locations outside the designated read-only areas. The exact mechanism…

Overview CVE-2025-64751 identifies an improper policy enforcement vulnerability affecting OpenFGA, a high-performance and flexible authorization/permission engine inspired by Google Zanzibar. Specifically, versions v1.4.0 to v1.11.0 of OpenFGA are susceptible to this flaw. This vulnerability can lead to incorrect access control decisions when certain Check and ListObject calls are executed, potentially granting unauthorized access to resources. The affected components include the Helm chart (versions openfga-0.1.34 to openfga-0.2.48) and Docker images (versions v1.4.0 to v1.11.0). A fix is available in OpenFGA version 1.11.1. Technical Details The vulnerability stems from a flaw in the logic used to evaluate authorization policies during Check and…

Overview CVE-2025-62426 is a medium-severity vulnerability affecting vLLM, an inference and serving engine for large language models (LLMs). Specifically, versions prior to 0.11.1 are susceptible to a denial-of-service (DoS) attack via the /v1/chat/completions and /tokenize endpoints. By crafting malicious chat_template_kwargs request parameters, an attacker can block processing on the API server, effectively delaying all other incoming requests. Technical Details The vulnerability stems from insufficient validation of the chat_template_kwargs parameter before its use within the chat template. An attacker can exploit this by providing specially crafted parameters that cause the server to enter a prolonged processing state. This can consume significant…

Overview CVE-2025-62372 describes a vulnerability in vLLM, an inference and serving engine for large language models (LLMs). Versions 0.5.5 through 0.11.0 (inclusive) are susceptible. The vulnerability allows a malicious actor to crash the vLLM engine when serving multimodal models by providing malformed multimodal embedding inputs. Specifically, inputs with the correct number of dimensions (ndim) but an incorrect shape (e.g., a wrong hidden dimension size) trigger the crash. This occurs regardless of whether the model is explicitly designed to support such inputs. A fix is available in version 0.11.1 of vLLM. Technical Details The vulnerability stems from insufficient input validation within…

Published: 2025-11-21 Overview A high-severity vulnerability, identified as CVE-2025-62164, has been discovered in vLLM, a popular inference and serving engine for large language models (LLMs). This vulnerability, affecting versions 0.10.2 to before 0.11.1, could allow attackers to cause a denial-of-service (DoS) and potentially achieve remote code execution (RCE) on systems running vulnerable versions of vLLM. Technical Details The vulnerability resides in the Completions API endpoint. When processing user-supplied prompt embeddings, the endpoint utilizes torch.load() to load serialized tensors. Prior to version 0.11.1, insufficient validation of these tensors was performed. A change introduced in PyTorch 2.8.0 disabled sparse tensor integrity checks…

Overview A high-severity SQL injection vulnerability, identified as CVE-2025-13485, has been discovered in itsourcecode Online File Management System version 1.0. This flaw allows remote attackers to potentially execute arbitrary SQL commands, leading to unauthorized data access, modification, or even complete system compromise. The exploit is publicly available, making it crucial to address this vulnerability immediately. Technical Details The vulnerability resides in the /ajax.php?action=login endpoint. Specifically, the Username argument is susceptible to SQL injection. By manipulating this argument, an attacker can inject malicious SQL code that is then executed by the application’s database. This bypasses normal authentication mechanisms and grants unauthorized…

Overview CVE-2025-64660 describes an improper access control vulnerability affecting both GitHub Copilot and Visual Studio Code. This flaw allows a potentially authorized attacker to bypass a security feature over a network, leading to unauthorized actions or data access. The vulnerability was published on November 20, 2025. Technical Details The specifics of the vulnerability reveal that the access control mechanisms in GitHub Copilot and Visual Studio Code, when interacting over a network (e.g., through remote development features), are susceptible to bypass. The vulnerability likely stems from inadequate validation of user permissions or improper handling of network requests. While Microsoft hasn’t released…