In Metabase versions 54.10 a medium severity vulnerability CVE-2025-5895 was detected. This vulnerability allows attackers to trigger inefficient regular expression complexity in the parseDataUri function (frontend/src/metabase/lib/dom.js), potentially leading to denial of service via remote exploitation. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-5895.
Read more Data Analytics
In Redash versions up to 10.1.0/25.1.0 a medium severity vulnerability CVE-2025-5874 was detected. This vulnerability allows attackers to exploit a sandbox issue in the run_query function (/query_runner/python.py) of the getattr Handler component, potentially leading to remote code execution. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-5874.
Read more Data Analytics
In Discourse prior to version 3.4.4 (stable branch), 3.5.0.beta5 (beta branch) and 3.5.0.beta6-dev (tests-passed branch) a high severity vulnerability CVE-2025-48877 was detected. This vulnerability allows attackers to execute arbitrary JavaScript through Codepen iframes included in the default allowed_iframes site setting. To address this issue, users should upgrade Discourse to versions 3.4.4 (stable branch), 3.5.0.beta5 (beta branch) and 3.5.0.beta6-dev (tests-passed branch). For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-48877.
Read more Communication
In Discourse versions prior to 3.4.4 (stable branch), 3.5.0.beta5 (beta branch) and 3.5.0.beta6-dev (tests-passed branch) a high severity vulnerability CVE-2025-48062 was detected. This vulnerability allows HTML injection in email bodies when invites to users without accounts include topic titles containing HTML, affecting both private message and topic invitations with custom messages. To address this issue, users should upgrade Discourse to versions 3.4.4, 3.5.0.beta5 or 3.5.0.beta6-dev. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-48062.
Read more Communication
In Discourse versions prior to 3.4.4 (stable branch), 3.5.0.beta5 (beta branch) and 3.5.0.beta6-dev (tests-passed branch) a high severity vulnerability CVE-2025-48053 was detected. This vulnerability allows attackers to reduce the availability of a Discourse instance by sending a malicious URL in a private message to a bot user. To address this issue, users should upgrade Discourse to versions 3.4.4 (stable branch), 3.5.0.beta5 (beta branch) or 3.5.0.beta6-dev (tests-passed branch). For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-48053.
Read more Communication
In Freemind Viewer plugin for WordPress versions up to and including 1.0 a medium severity vulnerability CVE-2025-5536 was detected. This vulnerability allows authenticated attackers with Contributor-level access or higher to inject malicious scripts via the freemind shortcode due to insufficient input sanitization and output escaping. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-5536.
Read more CMS
In Hide It plugin for WordPress versions up to and including 1.0.1 a medium severity vulnerability CVE-2025-5565 was detected. This vulnerability allows authenticated attackers with Contributor-level access or higher to inject malicious scripts via the plugin’s hideit shortcode due to insufficient input sanitization and output escaping. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-5565.
Read more CMS
In WP-Addpub plugin for WordPress versions up to and including 1.2.8 a medium severity vulnerability CVE-2025-5563 was detected. This vulnerability allows authenticated attackers with Contributor-level access or higher to extract sensitive information from the database via SQL Injection through the wp-addpub shortcode, due to insufficient input escaping and improper SQL query preparation. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-5563.
Read more CMS
In Runners Log plugin for WordPress versions up to and including 3.9.2 a medium severity vulnerability CVE-2025-5541 was detected. This vulnerability allows authenticated attackers with Contributor-level access or higher to inject malicious scripts via the runnerslog shortcode due to insufficient input sanitization and output escaping. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-5541.
Read more CMS