Filtered by vendor Tencent
Subscribe
Total
36 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-63945 | 1 Tencent | 1 Ioa | 2026-02-26 | N/A | 7.4 HIGH |
|
A privilege escalation (PE) vulnerability in the Tencent iOA app thru 210.9.28693.621001 on Windows devices enables a local user to execute programs with elevated privileges. However, execution requires that the local user is able to successfully exploit a race condition.
|
|||||
| CVE-2025-63946 | 1 Tencent | 1 Pcmanager | 2026-02-26 | N/A | 7.4 HIGH |
|
A privilege escalation (PE) vulnerability in the Tencent PC Manager app thru 17.10.28554.205 on Windows devices enables a local user to execute programs with elevated privileges. However, execution requires that the local user is able to successfully exploit a race condition.
|
|||||
| CVE-2025-56230 | 1 Tencent | 1 Docs | 2026-02-10 | N/A | 7.5 HIGH |
|
Tencent Docs Desktop 3.9.20 and earlier suffers from Missing SSL Certificate Validation in the update component.
|
|||||
| CVE-2026-22688 | 1 Tencent | 1 Weknora | 2026-01-22 | N/A | 9.9 CRITICAL |
|
WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.5, there is a command injection vulnerability that allows authenticated users to inject stdio_config.command/args into MCP stdio settings, causing the server to execute subprocesses using these injected values. This issue has been patched in version 0.2.5.
|
|||||
| CVE-2026-22687 | 1 Tencent | 1 Weknora | 2026-01-22 | N/A | 8.1 HIGH |
|
WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.5, after WeKnora enables the Agent service, it allows users to call the database query tool. Due to insufficient backend validation, an attacker can use prompt‑based bypass techniques to evade query restrictions and obtain sensitive information from the target server and database. This issue has been patched in version 0.2.5.
|
|||||
| CVE-2025-13709 | 1 Tencent | 1 Tface | 2026-01-12 | N/A | 7.8 HIGH |
|
Tencent TFace restore_checkpoint Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent TFace. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the restore_checkpoint function. The issue results from the lack of proper validation of user-supplied data, which can ...
Show More |
|||||
| CVE-2025-13711 | 1 Tencent | 1 Tface | 2026-01-12 | N/A | 7.8 HIGH |
|
Tencent TFace eval Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent TFace. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the eval endpoint. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization o ...
Show More |
|||||
| CVE-2024-40433 | 1 Tencent | 1 Wechat | 2025-10-10 | N/A | 8.8 HIGH |
|
Insecure Permissions vulnerability in Tencent wechat v.8.0.37 allows an attacker to escalate privileges via the web-view component.
|
|||||
| CVE-2025-11046 | 1 Tencent | 1 Weknora | 2025-10-07 | 7.5 HIGH | 7.3 HIGH |
|
A security flaw has been discovered in Tencent WeKnora 0.1.0. This impacts the function testEmbeddingModel of the file /api/v1/initialization/embedding/test. The manipulation of the argument baseUrl results in server-side request forgery. The attack can be launched remotely. The exploit has been released to the public and may be exploited. It is advisable to upgrade the affected component. The vendor responds: "We have confirmed that the issue mentioned in the report does not exist in the latest ...
Show More |
|||||
| CVE-2024-34408 | 1 Tencent | 1 Libpag | 2025-09-19 | N/A | 5.3 MEDIUM |
|
Tencent libpag through 4.3.51 has an integer overflow in DecodeStream::checkEndOfFile() in codec/utils/DecodeStream.cpp via a crafted PAG (Portable Animated Graphics) file.
|
|||||
| CVE-2024-33078 | 1 Tencent | 1 Libpag | 2025-09-15 | N/A | 9.8 CRITICAL |
|
Tencent Libpag v4.3 is vulnerable to Buffer Overflow. A user can send a crafted image to trigger a overflow leading to remote code execution.
|
|||||
| CVE-2024-22873 | 1 Tencent | 1 Blueking Configuration Management Database | 2025-06-09 | N/A | 8.1 HIGH |
|
Tencent Blueking CMDB v3.2.x to v3.9.x was discovered to contain a Server-Side Request Forgery (SSRF) via the event subscription function (/service/subscription.go). This vulnerability allows attackers to access internal requests via a crafted POST request.
|
|||||
| CVE-2011-4865 | 2 Google, Tencent | 3 Android, Microblogpad, Wblog | 2025-04-11 | 5.8 MEDIUM | N/A |
|
The Tencent WBlog (com.tencent.WBlog) 3.3.1 and MicroBlogPad 1.4.0 applications for Android do not properly protect data, which allows remote attackers to read or modify message drafts and search keywords via a crafted application.
|
|||||
| CVE-2011-4867 | 2 Android, Tencent | 2 Android, Qqpphoto | 2025-04-11 | 5.8 MEDIUM | N/A |
|
The Tencent QQPhoto (com.tencent.qqphoto) application 0.97 for Android does not properly protect data, which allows remote attackers to read or modify contact information and a password hash via a crafted application.
|
|||||
| CVE-2011-4863 | 2 Google, Tencent | 2 Android, Qqpimsecure | 2025-04-11 | 5.8 MEDIUM | N/A |
|
The Tencent QQPimSecure (com.tencent.qqpimsecure) application 3.0.2 for Android does not properly protect data, which allows remote attackers to read or modify SMS/MMS messages and a contact list via a crafted application.
|
|||||
| CVE-2011-4864 | 2 Google, Tencent | 2 Android, Mobileqq | 2025-04-11 | 5.8 MEDIUM | N/A |
|
The Tencent MobileQQ (com.tencent.mobileqq) application 2.2 for Android does not properly protect data, which allows remote attackers to read or modify messages and a friends list via a crafted application.
|
|||||
| CVE-2023-30363 | 1 Tencent | 1 Vconsole | 2025-02-03 | N/A | 9.8 CRITICAL |
|
vConsole v3.15.0 was discovered to contain a prototype pollution due to incorrect key and value resolution in setOptions in core.ts.
|
|||||
| CVE-2023-34312 | 1 Tencent | 2 Qq, Tim | 2025-01-09 | N/A | 7.8 HIGH |
|
In Tencent QQ through 9.7.8.29039 and TIM through 3.4.7.22084, QQProtect.exe and QQProtectEngine.dll do not validate pointers from inter-process communication, which leads to a write-what-where condition.
|
|||||
| CVE-2023-52286 | 1 Tencent | 1 Tencent Distributed Sql | 2024-11-21 | N/A | 7.5 HIGH |
|
Tencent tdsqlpcloud through 1.8.5 allows unauthenticated remote attackers to discover database credentials via an index.php/api/install/get_db_info request, a related issue to CVE-2023-42387.
|
|||||
| CVE-2023-40829 | 1 Tencent | 1 Enterprise Wechat Privatization | 2024-11-21 | N/A | 7.5 HIGH |
|
There is an interface unauthorized access vulnerability in the background of Tencent Enterprise Wechat Privatization 2.5.x and 2.6.930000.
|
|||||
| CVE-2023-39988 | 1 Tencent | 1 Wxsync | 2024-11-21 | N/A | 6.5 MEDIUM |
|
Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in 标准云(std.Cloud) WxSync plugin <= 2.7.23 versions.
|
|||||
| CVE-2022-35158 | 1 Tencent | 1 Tscancode | 2024-11-21 | N/A | 7.5 HIGH |
|
A vulnerability in the lua parser of TscanCode tsclua v2.15.01 allows attackers to cause a Denial of Service (DoS) via a crafted lua script.
|
|||||
| CVE-2021-40180 | 1 Tencent | 1 Wechat | 2024-11-21 | N/A | 7.5 HIGH |
|
In the WeChat application 8.0.10 for Android and iOS, a mini program can obtain sensitive information from a user's address book via wx.searchContacts.
|
|||||
| CVE-2021-33879 | 1 Tencent | 1 Gameloop | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
|
Tencent GameLoop before 4.1.21.90 downloaded updates over an insecure HTTP connection. A malicious attacker in an MITM position could spoof the contents of an XML document describing an update package, replacing a download URL with one pointing to an arbitrary Windows executable. Because the only integrity check would be a comparison of the downloaded file's MD5 checksum to the one contained within the XML document, the downloaded executable would then be executed on the victim's machine.
|
|||||
| CVE-2021-33057 | 1 Tencent | 1 Qq | 2024-11-21 | N/A | 7.5 HIGH |
|
The QQ application 8.7.1 for Android and iOS does not enforce the permission requirements (e.g., android.permission.ACCESS_FINE_LOCATION) for determining the device's physical location. An attacker can use qq.createMapContext to create a MapContext object, use MapContext.moveToLocation to move the center of the map to the device's location, and use MapContext.getCenterLocation to get the latitude and longitude of the current map center.
|
|||||
| CVE-2021-27439 | 1 Tencent | 1 Tencentos-tiny | 2024-11-21 | 7.5 HIGH | 7.3 HIGH |
|
TencentOS-tiny version 3.1.0 is vulnerable to integer wrap-around in function 'tos_mmheap_alloc incorrect calculation of effective memory allocation size. This improper memory assignment can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or a remote code injection/execution.
|
|||||
| CVE-2021-27247 | 1 Tencent | 1 Wechat | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Tencent WeChat 2.9.5 desktop version. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the WXAM decoder. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in c ...
Show More |
|||||
| CVE-2020-27874 | 1 Tencent | 1 Wechat | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent WeChat 7.0.18. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the WXAM Decoder. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated object. An attacker can leverage this vulnerability to e ...
Show More |
|||||
| CVE-2020-24162 | 1 Tencent | 1 Tencent | 2024-11-21 | 4.4 MEDIUM | 7.8 HIGH |
|
The Shenzhen Tencent app 5.8.2.5300 for PC platforms (from Tencent App Center) has a DLL hijacking vulnerability. Attackers can use this vulnerability to execute malicious code.
|
|||||
| CVE-2020-24160 | 1 Tencent | 1 Tim | 2024-11-21 | 4.4 MEDIUM | 7.8 HIGH |
|
Shenzhen Tencent TIM Windows client 3.0.0.21315 has a DLL hijacking vulnerability, which can be exploited by attackers to execute malicious code.
|
|||||
| CVE-2020-10551 | 1 Tencent | 1 Qqbrowser | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
|
QQBrowser before 10.5.3870.400 installs a Windows service TsService.exe. This file is writable by anyone belonging to the NT AUTHORITY\Authenticated Users group, which includes all local and remote users. This can be abused by local attackers to escalate privileges to NT AUTHORITY\SYSTEM by writing a malicious executable to the location of TsService.
|
|||||
| CVE-2019-17151 | 1 Tencent | 1 Wechat | 2024-11-21 | 5.8 MEDIUM | 5.4 MEDIUM |
|
This vulnerability allows remote attackers redirect users to an external resource on affected installations of Tencent WeChat Prior to 7.0.9. User interaction is required to exploit this vulnerability in that the target must be within a chat session together with the attacker. The specific flaw exists within the parsing of a users profile. The issue lies in the failure to properly validate a users name. An attacker can leverage this in conjunction with other vulnerabilities to execute code in th ...
Show More |
|||||
| CVE-2019-13125 | 1 Tencent | 1 Habomalhunter | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
|
HaboMalHunter through 2.0.0.3 in Tencent Habo allows attackers to evade dynamic malware analysis via PIE compilation.
|
|||||
| CVE-2019-11419 | 1 Tencent | 1 Wechat | 2024-11-21 | 4.3 MEDIUM | 5.5 MEDIUM |
|
vcodec2_hls_filter in libvoipCodec_v7a.so in the WeChat application through 7.0.3 for Android allows attackers to cause a denial of service (application crash) by replacing an emoji file (under the /sdcard/tencent/MicroMsg directory) with a crafted .wxgf file. The content of the replacement must be derived from the phone's IMEI. The crash occurs upon receiving a message that contains the replaced emoji.
|
|||||
| CVE-2018-13439 | 1 Tencent | 1 Wechat Pay | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
WXPayUtil in WeChat Pay Java SDK allows XXE attacks involving a merchant notification URL.
|
|||||
| CVE-2018-11616 | 1 Tencent | 1 Foxmail | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Tencent Foxmail 7.2.9.115. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of URI handlers. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute c ...
Show More |
|||||