Filtered by vendor Tencent
Subscribe
Total
33 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-22688 | 1 Tencent | 1 Weknora | 2026-01-22 | N/A | 9.9 CRITICAL |
| WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.5, there is a command injection vulnerability that allows authenticated users to inject stdio_config.command/args into MCP stdio settings, causing the server to execute subprocesses using these injected values. This issue has been patched in version 0.2.5. | |||||
| CVE-2026-22687 | 1 Tencent | 1 Weknora | 2026-01-22 | N/A | 8.1 HIGH |
| WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.5, after WeKnora enables the Agent service, it allows users to call the database query tool. Due to insufficient backend validation, an attacker can use prompt‑based bypass techniques to evade query restrictions and obtain sensitive information from the target server and database. This issue has been patched in version 0.2.5. | |||||
| CVE-2025-13709 | 1 Tencent | 1 Tface | 2026-01-12 | N/A | 7.8 HIGH |
| Tencent TFace restore_checkpoint Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent TFace. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the restore_checkpoint function. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27185. | |||||
| CVE-2025-13711 | 1 Tencent | 1 Tface | 2026-01-12 | N/A | 7.8 HIGH |
| Tencent TFace eval Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent TFace. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the eval endpoint. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27187. | |||||
| CVE-2024-40433 | 1 Tencent | 1 Wechat | 2025-10-10 | N/A | 8.8 HIGH |
| Insecure Permissions vulnerability in Tencent wechat v.8.0.37 allows an attacker to escalate privileges via the web-view component. | |||||
| CVE-2025-11046 | 1 Tencent | 1 Weknora | 2025-10-07 | 7.5 HIGH | 7.3 HIGH |
| A security flaw has been discovered in Tencent WeKnora 0.1.0. This impacts the function testEmbeddingModel of the file /api/v1/initialization/embedding/test. The manipulation of the argument baseUrl results in server-side request forgery. The attack can be launched remotely. The exploit has been released to the public and may be exploited. It is advisable to upgrade the affected component. The vendor responds: "We have confirmed that the issue mentioned in the report does not exist in the latest releases". | |||||
| CVE-2024-34408 | 1 Tencent | 1 Libpag | 2025-09-19 | N/A | 5.3 MEDIUM |
| Tencent libpag through 4.3.51 has an integer overflow in DecodeStream::checkEndOfFile() in codec/utils/DecodeStream.cpp via a crafted PAG (Portable Animated Graphics) file. | |||||
| CVE-2024-33078 | 1 Tencent | 1 Libpag | 2025-09-15 | N/A | 9.8 CRITICAL |
| Tencent Libpag v4.3 is vulnerable to Buffer Overflow. A user can send a crafted image to trigger a overflow leading to remote code execution. | |||||
| CVE-2024-22873 | 1 Tencent | 1 Blueking Configuration Management Database | 2025-06-09 | N/A | 8.1 HIGH |
| Tencent Blueking CMDB v3.2.x to v3.9.x was discovered to contain a Server-Side Request Forgery (SSRF) via the event subscription function (/service/subscription.go). This vulnerability allows attackers to access internal requests via a crafted POST request. | |||||
| CVE-2011-4867 | 2 Android, Tencent | 2 Android, Qqpphoto | 2025-04-11 | 5.8 MEDIUM | N/A |
| The Tencent QQPhoto (com.tencent.qqphoto) application 0.97 for Android does not properly protect data, which allows remote attackers to read or modify contact information and a password hash via a crafted application. | |||||
| CVE-2011-4865 | 2 Google, Tencent | 3 Android, Microblogpad, Wblog | 2025-04-11 | 5.8 MEDIUM | N/A |
| The Tencent WBlog (com.tencent.WBlog) 3.3.1 and MicroBlogPad 1.4.0 applications for Android do not properly protect data, which allows remote attackers to read or modify message drafts and search keywords via a crafted application. | |||||
| CVE-2011-4863 | 2 Google, Tencent | 2 Android, Qqpimsecure | 2025-04-11 | 5.8 MEDIUM | N/A |
| The Tencent QQPimSecure (com.tencent.qqpimsecure) application 3.0.2 for Android does not properly protect data, which allows remote attackers to read or modify SMS/MMS messages and a contact list via a crafted application. | |||||
| CVE-2011-4864 | 2 Google, Tencent | 2 Android, Mobileqq | 2025-04-11 | 5.8 MEDIUM | N/A |
| The Tencent MobileQQ (com.tencent.mobileqq) application 2.2 for Android does not properly protect data, which allows remote attackers to read or modify messages and a friends list via a crafted application. | |||||
| CVE-2023-30363 | 1 Tencent | 1 Vconsole | 2025-02-03 | N/A | 9.8 CRITICAL |
| vConsole v3.15.0 was discovered to contain a prototype pollution due to incorrect key and value resolution in setOptions in core.ts. | |||||
| CVE-2023-34312 | 1 Tencent | 2 Qq, Tim | 2025-01-09 | N/A | 7.8 HIGH |
| In Tencent QQ through 9.7.8.29039 and TIM through 3.4.7.22084, QQProtect.exe and QQProtectEngine.dll do not validate pointers from inter-process communication, which leads to a write-what-where condition. | |||||
| CVE-2023-52286 | 1 Tencent | 1 Tencent Distributed Sql | 2024-11-21 | N/A | 7.5 HIGH |
| Tencent tdsqlpcloud through 1.8.5 allows unauthenticated remote attackers to discover database credentials via an index.php/api/install/get_db_info request, a related issue to CVE-2023-42387. | |||||
| CVE-2023-40829 | 1 Tencent | 1 Enterprise Wechat Privatization | 2024-11-21 | N/A | 7.5 HIGH |
| There is an interface unauthorized access vulnerability in the background of Tencent Enterprise Wechat Privatization 2.5.x and 2.6.930000. | |||||
| CVE-2023-39988 | 1 Tencent | 1 Wxsync | 2024-11-21 | N/A | 6.5 MEDIUM |
| Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in ???(std.Cloud) WxSync plugin <=Â 2.7.23 versions. | |||||
| CVE-2022-35158 | 1 Tencent | 1 Tscancode | 2024-11-21 | N/A | 7.5 HIGH |
| A vulnerability in the lua parser of TscanCode tsclua v2.15.01 allows attackers to cause a Denial of Service (DoS) via a crafted lua script. | |||||
| CVE-2021-40180 | 1 Tencent | 1 Wechat | 2024-11-21 | N/A | 7.5 HIGH |
| In the WeChat application 8.0.10 for Android and iOS, a mini program can obtain sensitive information from a user's address book via wx.searchContacts. | |||||