Data Management and Analytics

In Redis versions from 7.0.0 to before 8.0.2 a medium severity vulnerability CVE-2025-27151 was detected. This vulnerability allows attackers to trigger a stack-based buffer overflow in redis-check-aof by exploiting unsafe use of memcpy with user-supplied file paths, potentially leading to remote code execution. To address this issue, users should upgrade Redis to versions 8.0.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-27151.

In Grafana versions >= 11.2,>= 11.3, >= 11.4, >= 11.5, >= 11.6, >= 12.0 a high severity vulnerability CVE-2025-4123 was detected. This vulnerability allows attackers to redirect users to a malicious site hosting a plugin that executes arbitrary JavaScript, even without editor permissions, and is exploitable if anonymous access is enabled. To address this issue, users should update Grafana to versions 12.0.0+security-01, 11.6.1+security-01, 11.5.4+security-01, 11.4.4+security-01, 11.3.6+security-01, 11.2.9+security-01 or 10.4.18+security-01. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4123.

In Grafana OSS versions 12.0.0 up to 12.0.1, 11.6.1 up to 11.6.2, 11.5.4 up to 11.5.5 a medium severity vulnerability CVE-2025-3580 was detected. This access control flaw allows an Organization administrator to permanently delete a Server administrator account (if the Server admin is in the same organization or unassigned) potentially leaving the instance without any super-user and rendering it unmanageable. To address this issue, users should upgrade Grafana to versions 10.4.19, 11.2.10, 11.3.7, 11.4.5, 11.5.5, 11.6.2 or 12.0.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3580.

In Grafana versions from 10.4.18+security-01 before 10.4.19, from 11.2.9+security-01 before 11.2.10, from 11.3.6+security-01 before 11.3.7, from 11.4.4+security-01 before 11.4.5, from 11.5.4+security-01 before 11.5.5, from 11.6.1+security-01 before 11.6.2 and from 12.0.0+security-01 before 12.0.1 a high severity vulnerability CVE-2025-4123 was detected. This vulnerability lets attackers redirect users to malicious sites executing JavaScript without editor rights, can cause SSRF with the Image Renderer plugin. To address this issue, users should upgrade Grafana to versions 10.4.18+security-01, 11.2.9+security-01, 11.3.6+security-01, 11.4.4+security-01, 11.5.4+security-01, 11.6.1+security-01 and 12.0.0+security-01. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4123.

In Pgpool-II versions 4.0 and 4.1 series, 4.2.0 to 4.2.21, 4.3.0 to 4.3.14, 4.4.0 to 4.4.11, 4.5.0 to 4.5.6 and 4.6.0 a critical severity vulnerability CVE-2025-46801 was detected. This vulnerability allows attackers to bypass authentication and log in as arbitrary users, enabling them to read, modify, or disable data in the connected database. To address this issue, users should upgrade Pgpool-II to versions 4.6.1, 4.5.7, 4.4.12, 4.3.15, 4.2.22 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-46801.

In Apache Superset versions through 4.1.1 a medium severity vulnerability CVE-2025-27696 was detected. This vulnerability allows authenticated users with read permissions to take ownership of dashboards, charts, or datasets. To address this issue, users should upgrade Apache Superset to versions 4.1.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-27696.

In PostgreSQL versions before 17.5, 16.9, 15.13, 14.18 and 13.21 a medium severity vulnerability CVE-2025-4207 was detected. This vulnerability allows a database input provider to trigger a temporary denial of service by exploiting a buffer over-read in GB18030 encoding validation, potentially causing process termination on affected platforms and impacting both the database server and libpq. To address this issue, users should upgrade PostgreSQL to versions 17.5, 16.9, 15.13, 14.18 or 13.21. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4207.

In Kibana versions 8.3.0 to 8.17.5, 8.18.0 and 9.0.0 a critical severity vulnerability CVE-2025-25014 was detected. This vulnerability allows attackers to achieve arbitrary code execution through prototype pollution by sending crafted HTTP requests to machine learning and reporting endpoints. To address this issue, users should upgrade Kibana to versions 8.17.6, 8.18.1 or 9.0.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-25014.

In Logstash versions prior to 8.17.6, 8.18.0 and 9.0.0 a medium severity vulnerability CVE-2025-37730 was detected. This vulnerability allows attackers to perform man-in-the-middle (MitM) attacks in “client” mode due to improper certificate validation – specifically, the lack of hostname verification when `ssl_verification_mode => full` was set in the TCP output configuration. To address this issue, users should upgrade Logstash to versions 8.17.6, 8.18.1 or 9.0.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-37730.