In SuiteCRM version 7.14.1 a medium severity vulnerability CVE‑2025‑41384 was detected. This vulnerability allows an attacker to execute JavaScript code by modifying the HTTP Referer header to include an arbitrary domain with malicious JavaScript at the end; the server will attempt to block the arbitrary domain but still allow the JavaScript code to execute. To address this issue, users should upgrade SuiteCRM to version 7.14.7 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-41384.
Read more CRMIn Liferay Portal 7.4.0 through 7.4.3.109, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions a medium severity vulnerability CVE-2025-62259 was detected. This vulnerability allows remote users to access and edit content via the API before verifying their email address. To fix this issue, users should upgrade to Liferay Portal 7.4.3.110, Liferay DXP 2024.Q1.1, Liferay DXP 2023.Q4.0, Liferay DXP 2023.Q3.5, or Liferay DXP 7.3 Update 36. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62259.
Read more CMSIn Liferay Portal 7.4.0 through 7.4.3.107, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions a high severity vulnerability CVE-2025-62258 was detected. This vulnerability allows remote attackers to execute any Headless API via the `endpoint` parameter. To fix this issue, users should upgrade to Liferay Portal 7.4.3.108, Liferay DXP 2024.Q1.1, Liferay DXP 2023.Q4.1, Liferay DXP 2023.Q3.5, or Liferay DXP 7.3 U36. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62258.
Read more CMSIn Liferay Portal 7.4.0 through 7.4.3.99, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 34, and older unsupported versions a medium severity vulnerability CVE-2025-62261 was detected. This vulnerability allows attackers with access to the database to obtain password reset tokens stored in plain text, reset a user’s password, and take over the user’s account. To fix this issue, users should upgrade to Liferay Portal 7.4.3.100, Liferay DXP 2024.Q1.1, Liferay DXP 2023.Q4.0, Liferay DXP 2023.Q3.5, or Liferay DXP 7.3 U35. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62261.
Read more CMSIn Liferay Portal 7.3.7 through 7.4.3.103, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 service pack 3 through update 36 a medium severity vulnerability CVE-2025-62263 was detected. This vulnerability allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an Account Role’s “Title” text field and an Organization’s “Name” text field, potentially leading to stored cross-site scripting (XSS) on multiple pages. To fix this issue, users should upgrade to Liferay Portal 7.4.3.104, Liferay DXP 2024.Q1.1, Liferay DXP 2023.Q4.0, or Liferay DXP 2023.Q3.5. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62263.
Read more CMSIn Liferay Portal 7.3.7 through 7.4.3.103, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 service pack 3 through update 36 a medium severity vulnerability CVE-2025-62263 was detected. This vulnerability allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an Account Role’s “Title” text field and an Organization’s “Name” text field, potentially leading to stored cross-site scripting (XSS) on multiple pages. To fix this issue, users should upgrade to Liferay Portal 7.4.3.104, Liferay DXP 2024.Q1.1, Liferay DXP 2023.Q4.0, or Liferay DXP 2023.Q3.5. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62263.
Read more CMSIn Jeg Kit for Elementor plugin for WordPress versions prior to 2.7.0 a medium severity vulnerability CVE-2025-9978 was detected. This vulnerability allows attackers to execute arbitrary scripts in the context of a user’s browser by uploading specially crafted SVG files via xmlrpc.php. To address this issue, users should upgrade Jeg Kit for Elementor plugin to version 2.7.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-8416.
Read more CMSIn Product Filter by WBW plugin for WordPress versions up to and including 2.9.7 a high severity vulnerability CVE-2025-8416 was detected. This vulnerability allows unauthenticated attackers to supply specially crafted input to the filtersDataBackend parameter to inject additional SQL into existing queries and extract sensitive database information due to insufficient escaping and lack of prepared statements. To address this issue, users should upgrade Product Filter by WBW plugin to version 2.9.8 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-8416.
Read more CMSIn the Listeo theme for WordPress versions up to and including 2.0.8 a medium severity vulnerability CVE-2025-8413 was detected. This vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary scripts via the theme’s soundcloud shortcode because of insufficient input sanitization and output escaping on user-supplied attributes; injected scripts execute whenever a user accesses an affected page. To address this issue, users should upgrade the Listeo theme to version 2.0.9 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-8413.
Read more CMS