CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-52572 – Hikka vulnerable to RCE through dangling web interface
https://notcve.org/view.php?id=CVE-2025-52572
24 Jun 2025 — Hikka, a Telegram userbot, has vulnerability affects all users on all versions of Hikka. Two scenarios are possible. 1. Web interface does not have an authenticated session: attacker can use his own Telegram account to gain RCE to the server by authorizing in the dangling web interface. 2. Web interface does have an authenticated session: due to insufficient warning in the authentication message, users were tempted to click "Allow" in the "Allow web application ops" menu. This gave an attacker access not on... • https://github.com/hikariatama/Hikka/security/advisories/GHSA-7x3c-335v-wxjj • CWE-287: Improper Authentication •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-52571 – Hikka vulnerable to RCE through edits in a channel
https://notcve.org/view.php?id=CVE-2025-52571
24 Jun 2025 — Hikka is a Telegram userbot. A vulnerability affects all users of versions below 1.6.2, including most of the forks. It allows an unauthenticated attacker to gain access to Telegram account of a victim, as well as full access to the server. The issue is patched in version 1.6.2. No known workarounds are available. • https://github.com/hikariatama/Hikka/commit/9a0e4b1b387ef828c345c43d990421d5afcff5f6 • CWE-287: Improper Authentication •