CVE-2025-49851 - ControlID iDSecure Authentication Bypass
CVE ID : CVE-2025-49851
Published : June 24, 2025, 8:15 p.m. | 4 hours ago
Description : ControlID iDSecure On-premises versions 4.7.48.0 and prior are vulnerable to an Improper Authentication vulnerability which could allow an attacker to bypass authentication and gain permissions in the product.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-49851
Published : June 24, 2025, 8:15 p.m. | 4 hours ago
Description : ControlID iDSecure On-premises versions 4.7.48.0 and prior are vulnerable to an Improper Authentication vulnerability which could allow an attacker to bypass authentication and gain permissions in the product.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-49852 - ControlID iDSecure Server-Side Request Forgery
CVE ID : CVE-2025-49852
Published : June 24, 2025, 8:15 p.m. | 4 hours ago
Description : ControlID iDSecure On-premises versions 4.7.48.0 and prior are vulnerable to a Server-Side Request Forgery vulnerability which could allow an unauthenticated attacker to retrieve information from other servers.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-49852
Published : June 24, 2025, 8:15 p.m. | 4 hours ago
Description : ControlID iDSecure On-premises versions 4.7.48.0 and prior are vulnerable to a Server-Side Request Forgery vulnerability which could allow an unauthenticated attacker to retrieve information from other servers.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-49853 - ControlID iDSecure SQL Injection Vulnerability
CVE ID : CVE-2025-49853
Published : June 24, 2025, 8:15 p.m. | 4 hours ago
Description : ControlID iDSecure On-premises versions 4.7.48.0 and prior are vulnerable to SQL injections which could allow an attacker to leak arbitrary information and insert arbitrary SQL syntax into SQL queries.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-49853
Published : June 24, 2025, 8:15 p.m. | 4 hours ago
Description : ControlID iDSecure On-premises versions 4.7.48.0 and prior are vulnerable to SQL injections which could allow an attacker to leak arbitrary information and insert arbitrary SQL syntax into SQL queries.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-52471 - "Espressif ESP-IDF ESP-NOW Protocol Integer Underflow Vulnerability"
CVE ID : CVE-2025-52471
Published : June 24, 2025, 8:15 p.m. | 4 hours ago
Description : ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. An integer underflow vulnerability has been identified in the ESP-NOW protocol implementation within the ESP Wi-Fi component of versions 5.4.1, 5.3.3, 5.2.5, and 5.1.6 of the ESP-IDF framework. This issue stems from insufficient validation of user-supplied data length in the packet receive function. Under certain conditions, this may lead to out-of-bounds memory access and may allow arbitrary memory write operations. On systems without a memory protection scheme, this behavior could potentially be used to achieve remote code execution (RCE) on the target device. In versions 5.4.2, 5.3.4, 5.2.6, and 5.1.6, ESP-NOW has added more comprehensive validation logic on user-supplied data length during packet reception to prevent integer underflow caused by negative value calculations. For ESP-IDF v5.3 and earlier, a workaround can be applied by validating that the `data_len` parameter received in the RX callback (registered via `esp_now_register_recv_cb()`) is a positive value before further processing. For ESP-IDF v5.4 and later, no application-level workaround is available. Users are advised to upgrade to a patched version of ESP-IDF to take advantage of the built-in mitigation.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-52471
Published : June 24, 2025, 8:15 p.m. | 4 hours ago
Description : ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. An integer underflow vulnerability has been identified in the ESP-NOW protocol implementation within the ESP Wi-Fi component of versions 5.4.1, 5.3.3, 5.2.5, and 5.1.6 of the ESP-IDF framework. This issue stems from insufficient validation of user-supplied data length in the packet receive function. Under certain conditions, this may lead to out-of-bounds memory access and may allow arbitrary memory write operations. On systems without a memory protection scheme, this behavior could potentially be used to achieve remote code execution (RCE) on the target device. In versions 5.4.2, 5.3.4, 5.2.6, and 5.1.6, ESP-NOW has added more comprehensive validation logic on user-supplied data length during packet reception to prevent integer underflow caused by negative value calculations. For ESP-IDF v5.3 and earlier, a workaround can be applied by validating that the `data_len` parameter received in the RX callback (registered via `esp_now_register_recv_cb()`) is a positive value before further processing. For ESP-IDF v5.4 and later, no application-level workaround is available. Users are advised to upgrade to a patched version of ESP-IDF to take advantage of the built-in mitigation.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-52571 - Hikka Telegram Unauthenticated Account Takeover and Server Compromise Vulnerability
CVE ID : CVE-2025-52571
Published : June 24, 2025, 8:15 p.m. | 4 hours ago
Description : Hikka is a Telegram userbot. A vulnerability affects all users of versions below 1.6.2, including most of the forks. It allows an unauthenticated attacker to gain access to Telegram account of a victim, as well as full access to the server. The issue is patched in version 1.6.2. No known workarounds are available.
Severity: 9.6 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-52571
Published : June 24, 2025, 8:15 p.m. | 4 hours ago
Description : Hikka is a Telegram userbot. A vulnerability affects all users of versions below 1.6.2, including most of the forks. It allows an unauthenticated attacker to gain access to Telegram account of a victim, as well as full access to the server. The issue is patched in version 1.6.2. No known workarounds are available.
Severity: 9.6 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-52880 - Komga EPUB XSS Attack Vector
CVE ID : CVE-2025-52880
Published : June 24, 2025, 8:15 p.m. | 4 hours ago
Description : Komga is a media server for comics, mangas, BDs, magazines and eBooks. A Cross-Site Scripting (XSS) vulnerability has been discovered in versions 1.8.0 through 1.21.3 when serving EPUB resources, either directly from the API, or when reading using the epub reader. The vulnerability lets an attacker perform actions on the victim's behalf. When targeting an admin user, this can be combined with controlling a server-side command to achieve arbitrary code execution. For this vulnerability to be exploited, a malicious EPUB file has to be present in a Komga library, and subsequently accessed in the Epub reader by an admin user. Version 1.22.0 contains a patch for the issue.
Severity: 4.2 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-52880
Published : June 24, 2025, 8:15 p.m. | 4 hours ago
Description : Komga is a media server for comics, mangas, BDs, magazines and eBooks. A Cross-Site Scripting (XSS) vulnerability has been discovered in versions 1.8.0 through 1.21.3 when serving EPUB resources, either directly from the API, or when reading using the epub reader. The vulnerability lets an attacker perform actions on the victim's behalf. When targeting an admin user, this can be combined with controlling a server-side command to achieve arbitrary code execution. For this vulnerability to be exploited, a malicious EPUB file has to be present in a Komga library, and subsequently accessed in the Epub reader by an admin user. Version 1.22.0 contains a patch for the issue.
Severity: 4.2 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-52882 - Claude Code WebSocket Remote Code Execution (RCE)
CVE ID : CVE-2025-52882
Published : June 24, 2025, 8:15 p.m. | 4 hours ago
Description : Claude Code is an agentic coding tool. Claude Code extensions in VSCode and forks (e.g., Cursor, Windsurf, and VSCodium) and JetBrains IDEs (e.g., IntelliJ, Pycharm, and Android Studio) are vulnerable to unauthorized websocket connections from an attacker when visiting attacker-controlled webpages. Claude Code for VSCode IDE extensions versions 0.2.116 through 1.0.23 are vulnerable. For Jetbrains IDE plugins, Claude Code [beta] versions 0.1.1 through 0.1.8 are vulnerable. In VSCode (and forks), exploitation would allow an attacker to read arbitrary files, see the list of files open in the IDE, get selection and diagnostics events from the IDE, or execute code in limited situations where a user has an open Jupyter Notebook and accepts a malicious prompt. In JetBrains IDEs, an attacker could get selection events, a list of open files, and a list of syntax errors. Claude released a patch for this issue on June 13th, 2025. Although Claude Code auto-updates when a user launch it and auto-updates the extensions, users should take the following steps, though the exact steps depend on one's integrated development environment (IDE). For VSCode, Cursor, Windsurf, VSCodium, and other VSCode forks, check the extension Claude Code for VSCode. Open the list of Extensions (View->Extensions), look for Claude Code for VSCode among installed extensions, update or uninstall any version prior to 1.0.24, and restart the IDE. For JetBrains IDEs including IntelliJ, PyCharm, and Android Studio, check the plugin Claude Code [Beta]. Open the Plugins list, look for Claude Code [Beta] among installed extensions, update or uninstall any version prior to 0.1.9, and restart the IDE.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-52882
Published : June 24, 2025, 8:15 p.m. | 4 hours ago
Description : Claude Code is an agentic coding tool. Claude Code extensions in VSCode and forks (e.g., Cursor, Windsurf, and VSCodium) and JetBrains IDEs (e.g., IntelliJ, Pycharm, and Android Studio) are vulnerable to unauthorized websocket connections from an attacker when visiting attacker-controlled webpages. Claude Code for VSCode IDE extensions versions 0.2.116 through 1.0.23 are vulnerable. For Jetbrains IDE plugins, Claude Code [beta] versions 0.1.1 through 0.1.8 are vulnerable. In VSCode (and forks), exploitation would allow an attacker to read arbitrary files, see the list of files open in the IDE, get selection and diagnostics events from the IDE, or execute code in limited situations where a user has an open Jupyter Notebook and accepts a malicious prompt. In JetBrains IDEs, an attacker could get selection events, a list of open files, and a list of syntax errors. Claude released a patch for this issue on June 13th, 2025. Although Claude Code auto-updates when a user launch it and auto-updates the extensions, users should take the following steps, though the exact steps depend on one's integrated development environment (IDE). For VSCode, Cursor, Windsurf, VSCodium, and other VSCode forks, check the extension Claude Code for VSCode. Open the list of Extensions (View->Extensions), look for Claude Code for VSCode among installed extensions, update or uninstall any version prior to 1.0.24, and restart the IDE. For JetBrains IDEs including IntelliJ, PyCharm, and Android Studio, check the plugin Claude Code [Beta]. Open the Plugins list, look for Claude Code [Beta] among installed extensions, update or uninstall any version prior to 0.1.9, and restart the IDE.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-52888 - "Allure Report XXE Injection Vulnerability"
CVE ID : CVE-2025-52888
Published : June 24, 2025, 8:15 p.m. | 4 hours ago
Description : Allure 2 is the version 2.x branch of Allure Report, a multi-language test reporting tool. A critical XML External Entity (XXE) vulnerability exists in the xunit-xml-plugin used by Allure 2 prior to version 2.34.1. The plugin fails to securely configure the XML parser (`DocumentBuilderFactory`) and allows external entity expansion when processing test result .xml files. This allows attackers to read arbitrary files from the file system and potentially trigger server-side request forgery (SSRF). Version 2.34.1 contains a patch for the issue.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-52888
Published : June 24, 2025, 8:15 p.m. | 4 hours ago
Description : Allure 2 is the version 2.x branch of Allure Report, a multi-language test reporting tool. A critical XML External Entity (XXE) vulnerability exists in the xunit-xml-plugin used by Allure 2 prior to version 2.34.1. The plugin fails to securely configure the XML parser (`DocumentBuilderFactory`) and allows external entity expansion when processing test result .xml files. This allows attackers to read arbitrary files from the file system and potentially trigger server-side request forgery (SSRF). Version 2.34.1 contains a patch for the issue.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-53021 - "Moodle Session Fixation Vulnerability"
CVE ID : CVE-2025-53021
Published : June 24, 2025, 8:15 p.m. | 4 hours ago
Description : A session fixation vulnerability in Moodle 3.x through 3.11.18 allows unauthenticated attackers to hijack user sessions via the sesskey parameter. The sesskey can be obtained without authentication and reused within the OAuth2 login flow, resulting in the victim's session being linked to the attacker's. Successful exploitation results in full account takeover. According to the Moodle Releases page, "Bug fixes for security issues in 3.11.x ended 11 December 2023." NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Severity: 4.2 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-53021
Published : June 24, 2025, 8:15 p.m. | 4 hours ago
Description : A session fixation vulnerability in Moodle 3.x through 3.11.18 allows unauthenticated attackers to hijack user sessions via the sesskey parameter. The sesskey can be obtained without authentication and reused within the OAuth2 login flow, resulting in the victim's session being linked to the attacker's. Successful exploitation results in full account takeover. According to the Moodle Releases page, "Bug fixes for security issues in 3.11.x ended 11 December 2023." NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Severity: 4.2 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-6555 - Google Chrome Use-After-Free in Animation
CVE ID : CVE-2025-6555
Published : June 24, 2025, 8:15 p.m. | 4 hours ago
Description : Use after free in Animation in Google Chrome prior to 138.0.7204.49 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-6555
Published : June 24, 2025, 8:15 p.m. | 4 hours ago
Description : Use after free in Animation in Google Chrome prior to 138.0.7204.49 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-6556 - Google Chrome Content Security Policy Bypass Vulnerability
CVE ID : CVE-2025-6556
Published : June 24, 2025, 8:15 p.m. | 4 hours ago
Description : Insufficient policy enforcement in Loader in Google Chrome prior to 138.0.7204.49 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low)
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-6556
Published : June 24, 2025, 8:15 p.m. | 4 hours ago
Description : Insufficient policy enforcement in Loader in Google Chrome prior to 138.0.7204.49 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low)
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-6557 - Google Chrome DevTools Code Execution Vulnerability
CVE ID : CVE-2025-6557
Published : June 24, 2025, 8:15 p.m. | 4 hours ago
Description : Insufficient data validation in DevTools in Google Chrome on Windows prior to 138.0.7204.49 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: Low)
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-6557
Published : June 24, 2025, 8:15 p.m. | 4 hours ago
Description : Insufficient data validation in DevTools in Google Chrome on Windows prior to 138.0.7204.49 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: Low)
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-6578 - "Code-projects Simple Online Hotel Reservation System SQL Injection Vulnerability"
CVE ID : CVE-2025-6578
Published : June 24, 2025, 8:15 p.m. | 4 hours ago
Description : A vulnerability was found in code-projects Simple Online Hotel Reservation System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /admin/delete_account.php. The manipulation of the argument admin_id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Severity: 7.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-6578
Published : June 24, 2025, 8:15 p.m. | 4 hours ago
Description : A vulnerability was found in code-projects Simple Online Hotel Reservation System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /admin/delete_account.php. The manipulation of the argument admin_id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Severity: 7.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-6579 - Code-projects Car Rental System SQL Injection Vulnerability
CVE ID : CVE-2025-6579
Published : June 24, 2025, 8:15 p.m. | 4 hours ago
Description : A vulnerability was found in code-projects Car Rental System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /message_admin.php. The manipulation of the argument Message leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
Severity: 7.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-6579
Published : June 24, 2025, 8:15 p.m. | 4 hours ago
Description : A vulnerability was found in code-projects Car Rental System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /message_admin.php. The manipulation of the argument Message leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
Severity: 7.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-52572 - Hikka Telegram Userbot Remote Code Execution and Account Takeover Vulnerability
CVE ID : CVE-2025-52572
Published : June 24, 2025, 9:15 p.m. | 3 hours ago
Description : Hikka, a Telegram userbot, has vulnerability affects all users on all versions of Hikka. Two scenarios are possible. 1. Web interface does not have an authenticated session: attacker can use his own Telegram account to gain RCE to the server by authorizing in the dangling web interface. 2. Web interface does have an authenticated session: due to insufficient warning in the authentication message, users were tempted to click "Allow" in the "Allow web application ops" menu. This gave an attacker access not only to remote code execution, but also to Telegram accounts of owners. Scenario number 2 is known to have been exploited in the wild. No known patches are available, but some workarounds are available. Use `--no-web` flag and do not start userbot without it; after authorizing in the web interface, close the port on the server and/or start the userbot with `--no-web` flag; and do not click "Allow" in your helper bot unless it is your explicit action that needs to be allowed.
Severity: 10.0 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-52572
Published : June 24, 2025, 9:15 p.m. | 3 hours ago
Description : Hikka, a Telegram userbot, has vulnerability affects all users on all versions of Hikka. Two scenarios are possible. 1. Web interface does not have an authenticated session: attacker can use his own Telegram account to gain RCE to the server by authorizing in the dangling web interface. 2. Web interface does have an authenticated session: due to insufficient warning in the authentication message, users were tempted to click "Allow" in the "Allow web application ops" menu. This gave an attacker access not only to remote code execution, but also to Telegram accounts of owners. Scenario number 2 is known to have been exploited in the wild. No known patches are available, but some workarounds are available. Use `--no-web` flag and do not start userbot without it; after authorizing in the web interface, close the port on the server and/or start the userbot with `--no-web` flag; and do not click "Allow" in your helper bot unless it is your explicit action that needs to be allowed.
Severity: 10.0 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-52883 - Meshtastic-Android PKC Impersonation Vulnerability
CVE ID : CVE-2025-52883
Published : June 24, 2025, 9:15 p.m. | 3 hours ago
Description : Meshtastic-Android is an Android application for the mesh radio software Meshtastic. Prior to version 2.5.21, an attacker is able to send an unencrypted direct message to a victim impersonating any other node of the mesh. This message will be displayed in the same chat that the victim normally communicates with the other node and it will appear as using PKC, while it is not. This means that the victim will be provided with a false sense of security due to the green padlock displayed when using PKC and they'll read the attacker's message as legitimate. Version 2.5.21 contains a patch for the issue. It is suggested to implement a stricter control on whether a message has been received using PKC or using the shared Meshtastic channel key. Moreover, instead of showing no green padlock icon in the chat with no PKC, consider using an explicit indicator like, for example, the yellow half-open padlock displayed when in HAM mode. This remediation, however, applies to the client applications rather than the Meshtastic firmware.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-52883
Published : June 24, 2025, 9:15 p.m. | 3 hours ago
Description : Meshtastic-Android is an Android application for the mesh radio software Meshtastic. Prior to version 2.5.21, an attacker is able to send an unencrypted direct message to a victim impersonating any other node of the mesh. This message will be displayed in the same chat that the victim normally communicates with the other node and it will appear as using PKC, while it is not. This means that the victim will be provided with a false sense of security due to the green padlock displayed when using PKC and they'll read the attacker's message as legitimate. Version 2.5.21 contains a patch for the issue. It is suggested to implement a stricter control on whether a message has been received using PKC or using the shared Meshtastic channel key. Moreover, instead of showing no green padlock icon in the chat with no PKC, consider using an explicit indicator like, for example, the yellow half-open padlock displayed when in HAM mode. This remediation, however, applies to the client applications rather than the Meshtastic firmware.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-52884 - RISC Zero Steel Solidity Library Commitment Validation Weakness
CVE ID : CVE-2025-52884
Published : June 24, 2025, 9:15 p.m. | 3 hours ago
Description : RISC Zero is a zero-knowledge verifiable general computing platform, with Ethereum integration. The risc0-ethereum repository contains Solidity verifier contracts, Steel EVM view call library, and supporting code. Prior to versions 2.1.1 and 2.2.0, the `Steel.validateCommitment` Solidity library function will return `true` for a crafted commitment with a digest value of zero. This violates the semantics of `validateCommitment`, as this does not commitment to a block that is in the current chain. Because the digest is zero, it does not correspond to any block and there exist no known openings. As a result, this commitment will never be produced by a correct zkVM guest using Steel and leveraging this bug to compromise the soundness of a program using Steel would require a separate bug or misuse of the Steel library, which is expected to be used to validate the root of state opening proofs. A fix has been released as part of `risc0-ethereum` 2.1.1 and 2.2.0. Users for the `Steel` Solidity library versions 2.1.0 or earlier should ensure they are using `Steel.validateCommitment` in tandem with zkVM proof verification of a Steel program, as shown in the ERC-20 counter example, and documentation. This is the correct usage of Steel, and users following this pattern are not at risk, and do not need to take action. Users not verifying a zkVM proof of a Steel program should update their application to do so, as this is incorrect usage of Steel.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-52884
Published : June 24, 2025, 9:15 p.m. | 3 hours ago
Description : RISC Zero is a zero-knowledge verifiable general computing platform, with Ethereum integration. The risc0-ethereum repository contains Solidity verifier contracts, Steel EVM view call library, and supporting code. Prior to versions 2.1.1 and 2.2.0, the `Steel.validateCommitment` Solidity library function will return `true` for a crafted commitment with a digest value of zero. This violates the semantics of `validateCommitment`, as this does not commitment to a block that is in the current chain. Because the digest is zero, it does not correspond to any block and there exist no known openings. As a result, this commitment will never be produced by a correct zkVM guest using Steel and leveraging this bug to compromise the soundness of a program using Steel would require a separate bug or misuse of the Steel library, which is expected to be used to validate the root of state opening proofs. A fix has been released as part of `risc0-ethereum` 2.1.1 and 2.2.0. Users for the `Steel` Solidity library versions 2.1.0 or earlier should ensure they are using `Steel.validateCommitment` in tandem with zkVM proof verification of a Steel program, as shown in the ERC-20 counter example, and documentation. This is the correct usage of Steel, and users following this pattern are not at risk, and do not need to take action. Users not verifying a zkVM proof of a Steel program should update their application to do so, as this is incorrect usage of Steel.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-6580 - SourceCodester Best Salon Management System SQL Injection Vulnerability
CVE ID : CVE-2025-6580
Published : June 24, 2025, 10:15 p.m. | 2 hours ago
Description : A vulnerability classified as critical has been found in SourceCodester Best Salon Management System 1.0. Affected is an unknown function of the component Login. The manipulation of the argument Username leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Severity: 7.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-6580
Published : June 24, 2025, 10:15 p.m. | 2 hours ago
Description : A vulnerability classified as critical has been found in SourceCodester Best Salon Management System 1.0. Affected is an unknown function of the component Login. The manipulation of the argument Username leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Severity: 7.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-6581 - SourceCodester Best Salon Management System SQL Injection Vulnerability
CVE ID : CVE-2025-6581
Published : June 24, 2025, 11:15 p.m. | 1 hour, 1 minute ago
Description : A vulnerability classified as critical was found in SourceCodester Best Salon Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /add-customer.php. The manipulation of the argument name/email/mobilenum/gender/details/dob/marriage_date leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
Severity: 6.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-6581
Published : June 24, 2025, 11:15 p.m. | 1 hour, 1 minute ago
Description : A vulnerability classified as critical was found in SourceCodester Best Salon Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /add-customer.php. The manipulation of the argument name/email/mobilenum/gender/details/dob/marriage_date leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
Severity: 6.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-6582 - SourceCodester Best Salon Management System SQL Injection Vulnerability
CVE ID : CVE-2025-6582
Published : June 25, 2025, 12:15 a.m. | 4 hours, 1 minute ago
Description : A vulnerability, which was classified as critical, has been found in SourceCodester Best Salon Management System 1.0. Affected by this issue is some unknown functionality of the file /edit-customer-detailed.php. The manipulation of the argument editid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Severity: 6.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-6582
Published : June 25, 2025, 12:15 a.m. | 4 hours, 1 minute ago
Description : A vulnerability, which was classified as critical, has been found in SourceCodester Best Salon Management System 1.0. Affected by this issue is some unknown functionality of the file /edit-customer-detailed.php. The manipulation of the argument editid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Severity: 6.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-6583 - SourceCodester Best Salon Management System SQL Injection Vulnerability
CVE ID : CVE-2025-6583
Published : June 25, 2025, 12:15 a.m. | 4 hours, 1 minute ago
Description : A vulnerability, which was classified as critical, was found in SourceCodester Best Salon Management System 1.0. This affects an unknown part of the file /view-appointment.php. The manipulation of the argument viewid leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Severity: 6.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-6583
Published : June 25, 2025, 12:15 a.m. | 4 hours, 1 minute ago
Description : A vulnerability, which was classified as critical, was found in SourceCodester Best Salon Management System 1.0. This affects an unknown part of the file /view-appointment.php. The manipulation of the argument viewid leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Severity: 6.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...