In Discourse versions between commits 10df7fdee060d44accdee7679d66d778d1136510 and 82d84af6b0efbd9fa2aeec3e91ce7be1a768511b on the 3.5.0.beta4 branch a medium severity vulnerability CVE-2025-46813 was detected. This vulnerability allows unauthenticated users to view private homepage content on login-required sites deployed during the affected window. To address this issue, users should upgrade Discourse to versions above commit 82d84af6b0efbd9fa2aeec3e91ce7be1a768511b. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-46813.
Read more Communication
In Discourse versions prior to 3.4.3 (stable) and 3.5.0.beta3 (beta) a medium severity vulnerability CVE-2025-32376 was detected. This vulnerability allows attackers to bypass the user limit for direct messages (DMs), potentially enabling the creation of a DM including every user on a site. To address this issue, users should upgrade Discourse to versions 3.4.3 (stable) or later, 3.5.0.beta3 (beta) or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-32376.
Read more Communication
In Mattermost versions 10.4.x ≤ 10.4.2, 10.5.x ≤ 10.5.0 and 9.11.x ≤ 9.11.10 a medium severity vulnerability CVE-2025-41395 was detected. This issue arises from improper validation of `props` in the `RetrospectivePost` custom post type in the Playbooks plugin, allowing attackers to craft posts that can trigger a denial of service (DoS) across the web app for all users. To address this issue, users should upgrade Mattermost to versions 10.6.0, 10.4.3, 10.5.1, 9.11.11 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-41395.
Read more Communication
In Mattermost versions 10.4.x ≤ 10.4.2, 10.5.x ≤ 10.5.0 and 9.11.x ≤ 9.11.10 a medium severity vulnerability CVE-2025-35965 was identified. The issue lies in the failure to validate the uniqueness and quantity of task actions within the UpdateRunTaskActions GraphQL operation, allowing attackers to create tasks with excessive triggered actions that can overwhelm the server and cause a denial-of-service (DoS) condition. To resolve this issue, users should upgrade Mattermost to versions 10.6.0, 10.4.3, 10.5.1, 9.11.11 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-35965.
Read more Communication
In Mattermost versions 10.4.x ≤ 10.4.2, 10.5.x ≤ 10.5.0 and 9.11.x ≤ 9.11.10 a low severity vulnerability CVE-2025-41423 was detected. This issue allows any user or attacker to delete posts created by the Playbooks bot through the `/plugins/playbooks/api/v0/signal/keywords/ignore-thread` API endpoint, even without channel access or proper permissions. To address this issue, users should upgrade Mattermost to versions 10.6.0, 10.4.3, 10.5.1, 9.11.11 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-41423.
Read more Communication
In Mattermost versions 10.5.x ≤ 10.5.1, 10.4.x ≤ 10.4.3 and 9.11.x ≤ 9.11.9 a medium severity vulnerability CVE-2025-2564 was detected. This vulnerability allows authenticated users to view members and member information of archived channels even when the ‘Allow users to view/update archived channels’ setting is disabled. To address this issue, users should upgrade Mattermost to versions 10.5.2, 10.4.4, 9.11.10 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2564.
Read more Communication
In Zulip versions prior to 10.2 a high severity vulnerability CVE-2025-31478 was detected. This vulnerability allows attackers to create accounts in organizations configured to use SSO-only authentication, even without having an account with the configured SSO backend. To address this issue, users should upgrade Zulip to version 10.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-31478.
Read more Communication
In Mattermost versions 10.5.0 to 10.5.1 and 9.11.0 to 9.11.9 a low severity vulnerability CVE-2025-27538 was detected. This vulnerability allows users with certain permissions to turn MFA on or off for other users without proper checks. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2025/cve-2025-27538.
Read more Communication
In Mattermost versions 10.5.x ≤ 10.5.1, 10.4.x ≤ 10.4.3 and 9.11.x ≤ 9.11.9 a medium severity vulnerability CVE-2025-27571 was detected. This vulnerability allows authenticated users to access channel metadata from archived channels regardless of the “Allow Users to View Archived Channels” configuration setting. To address this issue, users should upgrade Mattermost to versions 10.6.0, 10.5.2, 10.4.4, 9.11.10 or higher. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-27571.
Read more Communication