In Mattermost versions 10.4.x up to and including 10.4.2, 10.3.x up to and including 10.3.3 and 9.11.x up to and including 9.11.8 a medium severity vulnerability CVE-2025-30179 was detected. This vulnerability allows authenticated attackers to bypass Multi-Factor Authentication (MFA) protections via user search, channel search, or team search queries, as MFA is not enforced on certain search APIs. To address this issue, users should upgrade Mattermost to versions 0.5.0, 10.4.3, 10.3.4, 9.11.9 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-30179.
Read more Communication
In Mattermost versions 10.4.x up to and including 10.4.2, 10.3.x up to and including 10.3.3 and 9.11.x up to and including 9.11.8 a medium severity vulnerability CVE-2025-27933 was detected. This vulnerability allows members with permission to convert public channels to private ones to also convert private channels to public, due to a failure to enforce channel conversion restrictions. To address this issue, users should upgrade Mattermost to versions 10.5.0, 10.4.3, 10.3.4, 9.11.9 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-27933.
Read more Communication
In Mattermost versions 10.4.x up to and including 10.4.2, 10.3.x up to and including 10.3.3, 9.11.x up to and including 9.11.8 and 10.5.x up to and including 10.5.0 a medium severity vulnerability CVE-2025-24920 was detected. This vulnerability allows authenticated users to create or update bookmarks in archived channels, due to a failure to restrict bookmark creation and updates in those channels. To address this issue, users should upgrade Mattermost to versions 10.6.0, 10.4.3, 10.3.4, 9.11.9, 10.5.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-24920.
Read more Communication
In Mattermost versions 9.11.x up to and including 9.11.8 a low severity vulnerability CVE-2025-27715 was detected. This vulnerability allows team admins to join private channels via crafted permalink links without explicit approval, due to the failure to prompt for approval before adding a team admin to a private channel. To address this issue, users should upgrade Mattermost to versions 10.5.0, 9.11.9 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-27715.
Read more Communication
In Mattermost versions 10.4.x up to and including 10.4.2, 10.3.x up to and including 10.3.3 and 9.11.x up to and including 9.11.8 a medium severity vulnerability CVE-2025-25274 was detected. This vulnerability allows authenticated users to execute commands in archived channels due to a failure to restrict command execution in those channels. To address this issue, users should upgrade Mattermost to versions 10.5.0, 10.4.3, 10.3.4, 9.11.9 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-25274.
Read more Communication
In Mattermost versions 9.11.x up to and including 9.11.8 a medium severity vulnerability CVE-2025-1472 was detected. This vulnerability allows attackers with the Viewer role, even when configured with No Access to Reporting, to still view team and site statistics due to improper authorization enforcement. To address this issue, users should upgrade Mattermost to versions 9.11.9 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-1472.
Read more Communication
In Liferay Portal versions 7.4.3.82 through 7.4.3.128 and Liferay DXP versions 2024.Q3.0, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, and 7.4 update 82 through update 92 a medium severity vulnerability CVE-2025-2536 was detected. This vulnerability allows remote attackers to inject arbitrary web scripts or HTML via the `toastData` parameter in the Frontend JS module’s `layout-taglib/__liferay__/index.js`, leading to cross-site scripting (XSS) attacks. To address this issue, users should upgrade Liferay Portal to version 7.4.3.129, Liferay DXP to versions 2024.Q1.13, 2024.Q3.1 or 2024.Q4. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2536.
Read more CMS
In File Away plugin for WordPress versions 3.9.9.0.1 and prior a high severity vulnerability CVE-2025-2539 was detected. This vulnerability allows unauthenticated attackers to access arbitrary files on the server due to a missing capability check in the ajax() function and a reversible weak algorithm, potentially exposing sensitive information. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2539.
Read more CMS
In Age Gate plugin for WordPress versions 3.5.3 and prior a critical severity vulnerability CVE-2025-2505 was detected. This vulnerability allows unauthenticated attackers to include and execute arbitrary PHP files on the server via the `lang` parameter, potentially bypassing access controls, exposing sensitive data, or achieving remote code execution if certain file types can be uploaded and included. To address this issue, users should upgrade Age Gate plugin to versions 3.5.4 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2505.
Read more CMS