THREAT ALERT

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Track vulnerabilities that matter to your stack

Personalized alerts, dashboards, and weekly digests – free.

Trending Now

Critical Watch

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — June 21, 2025

57 CVEs tracked today. 1 Critical, 31 High, 20 Medium, 4 Low.

CVE-2025-6216 CRITICAL CVSS 9.8
Allegra project tracking software contains an authentication bypass in the password recovery token generation. Unauthenticated remote attackers can calculate the token expiration date and generate valid password reset tokens, allowing them to reset any user's password including administrators.

Authentication Bypass Allegra
CVE-2025-52488 HIGH CVSS 8.6
DNN (DotNetNuke) CMS versions 6.0.0 through 10.0.0 contain a vulnerability that can expose NTLM hashes to a third-party SMB server. Through a specially crafted series of interactions, an attacker can force the DNN server to authenticate to an attacker-controlled SMB server, capturing NTLM credential hashes for offline cracking.

Microsoft Information Disclosure Dotnetnuke
CVE-2025-6218 HIGH CVSS 7.8
WinRAR contains a directory traversal vulnerability (CVE-2025-6218, CVSS 7.8) enabling remote code execution when users extract crafted archives. KEV-listed with EPSS 4.7% and public PoC, this vulnerability allows archive files to write outside the extraction directory, placing malicious files in startup folders or other sensitive locations. Given WinRAR's 500+ million user base, this is a high-impact social engineering vector.

RCE Path Traversal Winrar
CVE-2025-52557 HIGH CVSS 8.6
CVE-2025-52557 is a stored/reflected XSS vulnerability in Mail-0's Zero email solution (version 0.8) that allows unauthenticated attackers to craft malicious emails containing unexecuted JavaScript code. When a victim opens the email in the web interface, the JavaScript executes in their browser context, enabling session hijacking and potential account takeover. The vulnerability has been patched in version 0.81, and exploitation requires user interaction (opening the email), making it a moderate-to-high severity issue suitable for rapid patching.

Information Disclosure XSS Session Fixation
CVE-2025-52487 HIGH CVSS 7.5
CVE-2025-52487 is an authentication bypass vulnerability in DNN (DotNetNuke) versions 7.0.0 through 10.0.0 that allows attackers to circumvent IP-based login filters by crafting specially designed requests or using proxy techniques. An unauthenticated remote attacker can bypass IP whitelist restrictions to attempt logins from unauthorized locations, potentially gaining unauthorized access to administrative accounts. The vulnerability has been patched in version 10.0.1 and carries a CVSS 7.5 score reflecting high integrity impact, though no public exploitation or active KEV listing has been reported at this time.

Microsoft Authentication Bypass Dotnetnuke
CVE-2025-6446 HIGH CVSS 7.3
A critical SQL injection vulnerability exists in code-projects Client Details System version 1.0, specifically in the /clientdetails/admin/index.php file where the Username parameter is improperly validated. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has public exploit code available and demonstrates moderate real-world risk despite the critical classification, with a CVSS score of 7.3 indicating concrete but not maximum severity.

PHP SQLi Client Details System
CVE-2025-6421 HIGH CVSS 7.3
A critical SQL injection vulnerability exists in code-projects Simple Online Hotel Reservation System version 1.0, specifically in the /admin/add_account.php file where the 'name' or 'admin_id' parameters are not properly sanitized. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion of the hotel reservation database. Public exploit code is available and the vulnerability is actively being disclosed, increasing exploitation risk in the wild.

PHP SQLi Simple Online Hotel Reservation System
CVE-2025-6420 HIGH CVSS 7.3
A critical SQL injection vulnerability exists in code-projects Simple Online Hotel Reservation System version 1.0, specifically in the /admin/add_room.php file where the 'room_type' parameter is insufficiently sanitized. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion of hotel reservation system data. A proof-of-concept exploit has been publicly disclosed, increasing real-world exploitation risk.

PHP SQLi Simple Online Hotel Reservation System
CVE-2025-6419 HIGH CVSS 7.3
CVE-2025-6419 is a critical SQL injection vulnerability in code-projects Simple Online Hotel Reservation System 1.0 affecting the /admin/edit_room.php endpoint, where the 'room_type' parameter is improperly sanitized, allowing unauthenticated remote attackers to execute arbitrary SQL commands. The vulnerability has a CVSS score of 7.3 with public proof-of-concept code available, indicating active exploitation risk and widespread discoverability.

PHP SQLi Simple Online Hotel Reservation System
CVE-2025-6418 HIGH CVSS 7.3
CVE-2025-6418 is a critical SQL injection vulnerability in Simple Online Hotel Reservation System 1.0 affecting the /admin/edit_query_account.php endpoint, where the 'Name' parameter is improperly sanitized, allowing remote attackers to execute arbitrary SQL queries without authentication. The vulnerability has been publicly disclosed with exploit code availability, making it a high-priority threat for organizations running this system in production; attackers can manipulate database queries to extract sensitive data, modify records, or potentially escalate privileges.

PHP SQLi Remote Code Execution Simple Online Hotel Reservation System
CVE-2025-6409 HIGH CVSS 7.3
CVE-2025-6409 is a critical SQL injection vulnerability in PHPGurukul Art Gallery Management System 1.1 affecting the /admin/forgot-password.php endpoint. An unauthenticated remote attacker can manipulate the 'email' parameter to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or denial of service. The vulnerability has been publicly disclosed with proof-of-concept availability, making it actively exploitable in the wild.

PHP SQLi Art Gallery Management System
CVE-2025-6408 HIGH CVSS 7.3
A critical SQL injection vulnerability exists in Campcodes Online Hospital Management System version 1.0 affecting the /doctor/search.php endpoint via the 'searchdata' parameter. An unauthenticated remote attacker can execute arbitrary SQL queries, potentially compromising confidentiality, integrity, and availability of the hospital database. Public exploit disclosure and lack of authentication requirements significantly elevate real-world risk.

PHP SQLi Online Hospital Management System
CVE-2025-6407 HIGH CVSS 7.3
A SQL injection vulnerability (CVSS 7.3). Risk factors: public PoC available.

PHP SQLi Online Hospital Management System
CVE-2025-6406 HIGH CVSS 7.3
CVE-2025-6406 is a critical SQL injection vulnerability in Campcodes Online Hospital Management System version 1.0, specifically in the /hms/forgot-password.php endpoint where the 'fullname' parameter is unsanitized. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of sensitive hospital patient and administrative data. The vulnerability has been publicly disclosed with exploit code available, increasing real-world exploitation risk.

PHP SQLi Online Hospital Management System
CVE-2025-6405 HIGH CVSS 7.3
CVE-2025-6405 is a critical SQL injection vulnerability in Campcodes Online Teacher Record Management System version 1.0, affecting the /admin/edit-teacher-detail.php endpoint through an unsanitized 'editid' parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of teacher records and sensitive educational data. Public disclosure and proof-of-concept availability indicate active exploitation risk, though CVSS 7.3 reflects moderate actual impact (read/write/availability) rather than complete system compromise.

PHP SQLi Online Teacher Record Management System
CVE-2025-6404 HIGH CVSS 7.3
CVE-2025-6404 is a critical SQL injection vulnerability in Campcodes Online Teacher Record Management System version 1.0, specifically in the /admin/search.php file's searchdata parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of the database. Public disclosure and available proof-of-concept code indicate active exploitation is possible and likely occurring.

PHP SQLi Online Teacher Record Management System
CVE-2025-6403 HIGH CVSS 7.3
CVE-2025-6403 is a critical SQL injection vulnerability in code-projects School Fees Payment System version 1.0, specifically in the /student.php file's ID parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of student and payment records. The vulnerability has been publicly disclosed with working exploits available, and while the CVSS score of 7.3 indicates medium-to-high severity, the SQL injection vector combined with public PoC availability presents significant real-world risk for deployed instances.

PHP SQLi School Fees Payment System
CVE-2025-6402 HIGH CVSS 8.8
CVE-2025-6402 is a critical buffer overflow vulnerability in TOTOLINK X15 firmware version 1.0.0-B20230714.1105 affecting the IPv6 setup HTTP POST handler. An authenticated remote attacker can exploit improper input validation on the 'submit-url' parameter to achieve complete system compromise (confidentiality, integrity, and availability). Public exploit code exists for this vulnerability, increasing real-world exploitation risk.

Buffer Overflow TP-Link RCE X15 Firmware TOTOLINK
CVE-2025-6400 HIGH CVSS 8.8
CVE-2025-6400 is a critical buffer overflow vulnerability in TOTOLINK N300RH router firmware version 6.1c.1390_B20191101, exploitable via HTTP POST requests to the /boafrm/formPortFw endpoint through manipulation of the service_type parameter. An authenticated attacker can remotely trigger this vulnerability to achieve complete system compromise (confidentiality, integrity, and availability). Public exploit code is available and the vulnerability meets criteria for active exploitation risk due to disclosed POC and remote exploitability from an authenticated state.

Buffer Overflow TP-Link RCE N300rh Firmware TOTOLINK
CVE-2025-6399 HIGH CVSS 8.8
CVE-2025-6399 is a critical buffer overflow vulnerability in TOTOLINK X15 router (firmware version 1.0.0-B20230714.1105) affecting the HTTP POST request handler for the /boafrm/formIPv6Addr endpoint. An authenticated attacker can exploit the improper handling of the 'submit-url' parameter to trigger a buffer overflow, achieving remote code execution with full system compromise (confidentiality, integrity, and availability). A public exploit has been disclosed and the vulnerability is likely to see active exploitation given its criticality and ease of exploitation.

Buffer Overflow TP-Link X15 Firmware TOTOLINK
CVE-2025-6394 HIGH CVSS 7.3
A SQL injection vulnerability in A vulnerability (CVSS 7.3). Risk factors: public PoC available.

PHP SQLi Simple Online Hotel Reservation System
CVE-2025-6393 HIGH CVSS 8.8
CVE-2025-6393 is a critical buffer overflow vulnerability in the HTTP POST request handler of TOTOLINK routers affecting models A702R, A3002R, A3002RU, and EX1200T across multiple firmware versions. An authenticated attacker can exploit this vulnerability by manipulating the 'submit-url' parameter in requests to /boafrm/formIPv6Addr to achieve remote code execution with full system compromise (confidentiality, integrity, and availability impact). The exploit has been publicly disclosed and may be actively exploited in the wild.

Buffer Overflow TP-Link RCE A3002r Firmware A702r Firmware
CVE-2025-6374 HIGH CVSS 8.8
CVE-2025-6374 is a critical stack-based buffer overflow vulnerability in D-Link DIR-619L version 2.06B01, affecting the formSetACLFilter function's curTime parameter. An authenticated remote attacker can exploit this to achieve arbitrary code execution with high impact on confidentiality, integrity, and availability. Public exploit code exists for this end-of-life product, making it an immediate concern for organizations still operating legacy D-Link equipment.

Buffer Overflow D-Link RCE Dir 619l Firmware
CVE-2025-6373 HIGH CVSS 8.8
CVE-2025-6373 is a critical stack-based buffer overflow vulnerability in D-Link DIR-619L firmware version 2.06B01 affecting the formSetWizard1 function via the /goform/formWlSiteSurvey endpoint. An authenticated remote attacker can exploit this vulnerability by manipulating the 'curTime' parameter to achieve arbitrary code execution with full system compromise (confidentiality, integrity, and availability impact). Public exploit code is available and the affected product is end-of-life with no vendor support.

Buffer Overflow D-Link Dir 619l Firmware
CVE-2025-5820 HIGH CVSS 8.8
CVE-2025-5820 is a critical Bluetooth ERTM (Enhanced Retransmission Mode) channel authentication bypass vulnerability in Sony XAV-AX8500 infotainment systems that allows network-adjacent attackers to completely bypass authentication without any privileges or user interaction. Attackers can achieve high-impact compromise of confidentiality, integrity, and availability through improper channel data initialization in the Bluetooth implementation. The vulnerability has a CVSS 3.1 score of 8.8 (High) and represents a significant risk to vehicles using this aftermarket receiver, though exploitation requires physical proximity and the specific technical conditions of ERTM channel manipulation.

Authentication Bypass Xav Ax8500 Firmware
CVE-2025-5479 HIGH CVSS 7.5
A remote code execution vulnerability (CVSS 7.5) that allows network-adjacent attackers. High severity vulnerability requiring prompt remediation. Vendor patch is available.

RCE Buffer Overflow Xav Ax8500 Firmware
CVE-2025-5478 HIGH CVSS 8.8
CVE-2025-5478 is a critical integer overflow vulnerability in the Bluetooth SDP (Service Discovery Protocol) implementation of Sony XAV-AX8500 in-vehicle infotainment systems that allows unauthenticated, network-adjacent attackers to execute arbitrary code with root privileges. The vulnerability stems from insufficient input validation in buffer allocation logic, enabling remote code execution without user interaction. Given the automotive infotainment context and lack of authentication requirements, this represents a significant risk to connected vehicle security, particularly for vehicles with Bluetooth connectivity within network proximity.

RCE Xav Ax8500 Firmware
CVE-2025-5477 HIGH CVSS 7.5
A remote code execution vulnerability (CVSS 7.5) that allows network-adjacent attackers. High severity vulnerability requiring prompt remediation. Vendor patch is available.

RCE Buffer Overflow Xav Ax8500 Firmware
CVE-2025-5476 HIGH CVSS 8.8
CVE-2025-5476 is an authentication bypass vulnerability in Sony XAV-AX8500 Bluetooth car audio systems caused by improper L2CAP channel isolation in ACL-U links. A network-adjacent attacker can completely bypass authentication without user interaction to gain full control (read, modify, execute) of the device. This is a critical vulnerability affecting in-vehicle infotainment systems with potential safety and privacy implications.

Authentication Bypass Xav Ax8500 Firmware
CVE-2025-5475 HIGH CVSS 7.5
A remote code execution vulnerability (CVSS 7.5) that allows network-adjacent attackers. High severity vulnerability requiring prompt remediation. Vendor patch is available.

RCE Xav Ax8500 Firmware
CVE-2025-5034 HIGH CVSS 7.1
CVE-2025-5034 is a Reflected Cross-Site Scripting (XSS) vulnerability in the wp-file-download WordPress plugin versions before 6.2.6, caused by failure to sanitize and escape user-supplied parameters before output. Attackers can craft malicious URLs containing JavaScript payloads that execute in victims' browsers when clicked, potentially stealing session cookies, hijacking accounts, or performing unauthorized actions. The vulnerability requires user interaction (clicking a link) but affects all users without authentication requirements, making it a moderate-to-significant risk for WordPress installations using this plugin.

WordPress XSS PHP Wp File Download
CVE-2025-3221 HIGH CVSS 7.5
IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 contain a denial of service vulnerability caused by insufficient validation of incoming request resources (CWE-770: Allocation of Resources Without Limits or Throttling). A remote, unauthenticated attacker can exploit this over the network to exhaust server resources and cause service unavailability. The CVSS 7.5 score reflects high availability impact with no authentication required and low attack complexity.

IBM Denial Of Service Infosphere Information Server
CVE-2025-52919 MEDIUM CVSS 4.3
A security vulnerability in Yealink RPS (CVSS 4.3). Remediation should follow standard vulnerability management procedures.

Information Disclosure
CVE-2025-52918 MEDIUM CVSS 5.0
CVE-2025-52918 is a security vulnerability (CVSS 5.0). Remediation should follow standard vulnerability management procedures.

Authentication Bypass
CVE-2025-52917 MEDIUM CVSS 4.3
The Yealink RPS API before 2025-05-26 lacks rate limiting, potentially enabling information disclosure via excessive requests.

Information Disclosure Denial Of Service
CVE-2025-52552 MEDIUM CVSS 6.1
FastGPT is an AI Agent building platform. Prior to version 4.9.12, the LastRoute Parameter on login page is vulnerable to open redirect and DOM-based XSS. Improper validation and lack of sanitization of this parameter allows attackers execute malicious JavaScript or redirect them to attacker-controlled sites. This issue has been patched in version 4.9.12.

XSS Open Redirect Fastgpt
CVE-2025-52486 MEDIUM CVSS 6.1
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. In versions 6.0.0 to before 10.0.1, DNN.PLATFORM allows specially crafted content in URLs to be used with TokenReplace and not be properly sanitized by some SkinObjects. This issue has been patched in version 10.0.1.

Microsoft XSS Dotnetnuke
CVE-2025-52485 MEDIUM CVSS 5.4
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. In versions 6.0.0 to before 10.0.1, DNN.PLATFORM allows a specially crafted request to inject scripts in the Activity Feed Attachments endpoint which will then render in the feed. This issue has been patched in version 10.0.1.

Microsoft XSS Dotnetnuke
CVE-2025-36016 MEDIUM CVSS 6.8
IBM Process Mining 2.0.1 IF001 and 2.0.1 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim.

IBM Open Redirect Process Mining
CVE-2025-6422 MEDIUM CVSS 6.3
A vulnerability classified as critical was found in Campcodes Online Recruitment Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/ajax.php?action=save_settings of the component About Content Page. The manipulation of the argument img leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

File Upload PHP Authentication Bypass Online Recruitment Management System
CVE-2025-6417 MEDIUM CVSS 6.3
A vulnerability has been found in PHPGurukul Art Gallery Management System 1.1 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/add-artist.php. The manipulation of the argument awarddetails leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi Art Gallery Management System
CVE-2025-6416 MEDIUM CVSS 6.3
A vulnerability, which was classified as critical, was found in PHPGurukul Art Gallery Management System 1.1. Affected is an unknown function of the file /admin/changeimage4.php. The manipulation of the argument editid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi Art Gallery Management System
CVE-2025-6415 MEDIUM CVSS 6.3
A vulnerability, which was classified as critical, has been found in PHPGurukul Art Gallery Management System 1.1. This issue affects some unknown processing of the file /admin/changeimage3.php. The manipulation of the argument editid leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi Art Gallery Management System
CVE-2025-6414 MEDIUM CVSS 6.3
A vulnerability classified as critical was found in PHPGurukul Art Gallery Management System 1.1. This vulnerability affects unknown code of the file /admin/changeimage2.php. The manipulation of the argument editid leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi Art Gallery Management System
CVE-2025-6413 MEDIUM CVSS 6.3
A vulnerability classified as critical has been found in PHPGurukul Art Gallery Management System 1.1. This affects an unknown part of the file /admin/changeimage1.php. The manipulation of the argument editid leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi Art Gallery Management System
CVE-2025-6412 MEDIUM CVSS 6.3
A vulnerability was found in PHPGurukul Art Gallery Management System 1.1. It has been rated as critical. Affected by this issue is some unknown functionality of the file /admin/changeimage.php. The manipulation of the argument editid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi Art Gallery Management System
CVE-2025-6411 MEDIUM CVSS 6.3
A vulnerability was found in PHPGurukul Art Gallery Management System 1.1. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin/changepropic.php. The manipulation of the argument imageid leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi Art Gallery Management System
CVE-2025-6410 MEDIUM CVSS 6.3
A vulnerability was found in PHPGurukul Art Gallery Management System 1.1. It has been classified as critical. Affected is an unknown function of the file /admin/edit-art-medium-detail.php. The manipulation of the argument editid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi Art Gallery Management System
CVE-2025-5289 MEDIUM CVSS 6.4
The 3D FlipBook - PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘style’ and 'mode' parameters in all versions up to, and including, 1.16.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note: This issue affects only block-based themes.

WordPress XSS 3d Flipbook PHP
CVE-2025-5143 MEDIUM CVSS 6.4
The TableOn - WordPress Posts Table Filterable plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's tableon_popup_iframe_button shortcode in all versions up to, and including, 1.0.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS Tableon Wordpress Posts Table Filterable PHP
CVE-2025-3629 MEDIUM CVSS 4.3
CVE-2025-3629 is a security vulnerability (CVSS 4.3) that allows an authenticated user. Remediation should follow standard vulnerability management procedures.

Information Disclosure IBM Infosphere Information Server
CVE-2025-1987 MEDIUM CVSS 6.1
A Cross-Site Scripting (XSS) vulnerability has been identified in Psono-Client’s handling of vault entries of type website_password and bookmark, as used in Bitdefender SecurePass. The client does not properly sanitize the URL field in these entries. As a result, an attacker can craft a malicious vault entry (or trick a user into creating or importing one) with a javascript:URL. When the user interacts with this entry (for example, by clicking or opening it), the application will execute the malicious JavaScript in the context of the Psono vault. This allows an attacker to run arbitrary code in the victim’s browser, potentially giving them access to the user’s password vault and sensitive data.

RCE XSS Information Disclosure Securepass Psono Client
CVE-2025-52916 LOW CVSS 2.2
A remote code execution vulnerability (CVSS 2.2). Remediation should follow standard vulnerability management procedures.

Information Disclosure
CVE-2025-52556 None
rfc3161-client is a Python library implementing the Time-Stamp Protocol (TSP) described in RFC 3161. Prior to version 1.0.3, there is a flaw in the timestamp response signature verification logic. In particular, chain verification is performed against the TSR's embedded certificates up to the trusted root(s), but fails to verify the TSR's own signature against the timestamping leaf certificates. Consequently, vulnerable versions perform insufficient signature validation to properly consider a TSR verified, as the attacker can introduce any TSR signature so long as the embedded leaf chains up to some root TSA. This issue has been patched in version 1.0.3. There is no workaround for this issue.

Information Disclosure Python
CVE-2025-6401 LOW CVSS 3.5
A vulnerability was found in TOTOLINK N300RH 6.1c.1390_B20191101. It has been classified as problematic. This affects an unknown part of the file /boafrm/formFilter of the component HTTP POST Message Handler. The manipulation of the argument url leads to denial of service. The exploit has been disclosed to the public and may be used.

Denial Of Service TOTOLINK
CVE-2025-6375 LOW CVSS 3.3
A vulnerability was found in poco up to 1.14.1. It has been rated as problematic. Affected by this issue is the function MultipartInputStream of the file Net/src/MultipartReader.cpp. The manipulation leads to null pointer dereference. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. Upgrading to version 1.14.2 is able to address this issue. The patch is identified as 6f2f85913c191ab9ddfb8fae781f5d66afccf3bf. It is recommended to upgrade the affected component.

Denial Of Service Ubuntu Debian
CVE-2025-6217 LOW CVSS 2.5
PEAK-System Driver PCANFD_ADD_FILTERS Time-Of-Check Time-Of-Use Information Disclosure Vulnerability. This vulnerability allows local attackers to disclose sensitive information on affected installations of PEAK-System Driver. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of the PCANFD_ADD_FILTERS IOCTL. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the kernel. Was ZDI-CAN-24161.

RCE Information Disclosure

Today's Vulnerabilities Vulnerabilities