In Zulip Server versions from 2.0.0-rc1 to 10.4 a medium severity vulnerability CVE-2025-52559 was detected. This vulnerability allows attackers to inject and execute malicious scripts in users’ browsers by exploiting unsanitized topic or channel names in the /digest/ preview, potentially leading to data theft or session hijacking. To fix this issue, users should upgrade to Zulip Server version 10.4. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-52559.
Read more Communication
In Mattermost versions 10.5.x up to 10.5.5, 9.11.x up to 9.11.15, 10.8.x up to 10.8.0, 10.7.x up to 10.7.2, and 10.6.x up to 10.6.5 a medium severity vulnerability CVE-2025-46702 was detected. This vulnerability allows attackers to gain unauthorized access to sensitive channel content and allows guest users to gain channel management privileges. To fix this issue, users should upgrade Mattermost to versions 10.5.6, 9.11.16, 10.8.1, 10.7.3, and 10.6.6. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-46702.
Read more Communication
In Mattermost versions up to and including 10.5.5, 9.11.15, 10.6.5, 10.7.2, and 10.8.0 a medium severity vulnerability CVE-2025-47871 was detected. This vulnerability allows authenticated users who are playbook members but not channel members to access sensitive information about linked private channels, including channel name, display name, and participant count, through the run metadata API endpoint. To address this issue users must upgrade to versions 10.5.6, 9.11.16, 10.6.6, 10.7.3, or 10.8.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-47871.
Read more Communication
In Discourse versions prior to 3.5.0.beta6 a high severity vulnerability CVE-2025-48954 was detected. This vulnerability allows attackers to perform cross-site scripting (XSS) attacks when the content security policy is not enabled while using social logins. To address this issue, users should upgrade Discourse to versions 3.5.0.beta6. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-48954.
Read more Communication
In Discourse versions prior to 3.4.6 (stable) and 3.5.0.beta8-dev (tests-passed) a medium severity vulnerability CVE-2025-49845 was detected. This vulnerability allows users to continue viewing their own whisper posts even after losing group-based permission to view such content. To address this issue, users should upgrade Discourse to versions 3.4.6 or later (stable), 3.5.0.beta8-dev (tests-passed). For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-49845.
Read more Communication
In Mattermost versions 10.5.x (up to and including 10.5.5), 9.11.x (up to and including 9.11.15), 10.8.x (up to and including 10.8.0), 10.7.x (up to and including 10.7.2) and 10.6.x (up to and including 10.6.5) a high severity vulnerability CVE-2025-3228 was detected. This vulnerability arises from improper handling of requestor information in the playbooks handler for guest users, allowing attackers to gain unauthorized access to playbook runs and potentially expose sensitive operational data and workflows. To address this issue, users should upgrade Mattermost to versions 10.5.6, 9.11.16, 10.8.1, 10.7.3, 10.6.6 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3228.
Read more Communication
In Mattermost versions 10.5.x (up to 10.5.5), 9.11.x (up to 9.11.15), 10.8.x (up to 10.8.0), 10.7.x (up to 10.7.2) and 10.6.x (up to 10.6.5) a medium severity vulnerability CVE-2025-3227 was detected. This vulnerability allows authenticated users without the ‘Manage Channel Members’ permission to add or remove users from both public and private channels by manipulating playbook run participants, potentially leading to unauthorized access and data leakage. To address this issue, users should upgrade Mattermost to versions 10.5.6, 9.11.16, 10.8.1, 10.7.3, 10.6.6 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3227.
Read more Communication
In Mattermost versions 10.5.x ≤ 10.5.5, 9.11.x ≤ 9.11.15, 10.8.x ≤ 10.8.0, 10.7.x ≤ 10.7.2 and 10.6.x ≤ 10.6.5 a critical severity vulnerability CVE-2025-4981 was detected. This vulnerability allows authenticated users to write files to arbitrary locations on the filesystem by uploading archives containing path traversal sequences in filenames, potentially leading to remote code execution. This affects instances where file attachments and content extraction are enabled (default configuration). Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4981.
Read more Communication
In Mattermost versions 10.7.x ≤ 10.7.1, 10.6.x ≤ 10.6.3, 10.5.x ≤ 10.5.4 and 9.11.x ≤ 9.11.13 a medium severity vulnerability CVE-2025-4573 was detected. This vulnerability allows an authenticated administrator with the `PermissionSysconsoleWriteUserManagementGroups` permission to perform LDAP search filter injection through the `PUT /api/v4/ldap/groups/{remote_id}/link` API endpoint when `objectGUID` is improperly validated. To address this issue, users should upgrade Mattermost to versions 10.7.2, 10.6.4, 10.5.5, 9.11.14 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4573.
Read more Communication