Data Management and Analytics

In Kibana versions up to and including 7.17.28, 8.0.0 to 8.17.7, 8.18.0 to 8.18.2, and 9.0.0 to 9.0.2 a medium severity vulnerability CVE-2025-25012 was detected. The flaw allows open redirect attacks through the Short URLs feature in Discover, Dashboard, and Visualization Library, which can redirect users to arbitrary sites and enable server-side request forgery (SSRF). To address this issue, users should upgrade Kibana to versions 7.17.29, 8.17.8, 8.18.3, 9.0.3 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-25012.

In Kibana versions prior to 7.17.29, 8.17.8, 8.18.3 and 9.0.3 a medium severity vulnerability CVE-2024-52974 was detected. This vulnerability allows a user with read permissions for Observability to send a specially crafted request to the Observability API, which could cause the Kibana server to crash. To address this issue, users should upgrade Kibana to versions 7.17.29, 8.17.8, 8.18.3, 9.0.3 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-52974.

In Apache Airflow 3.0.3 a high severity vulnerability CVE-2025-54831 was detected. Sensitive connection details were exposed to users with READ permissions through both the API and UI, bypassing the intended “write-only” model and the AIRFLOW__CORE__HIDE_SENSITIVE_VAR_CONN_FIELDS configuration option. To address this issue, users should upgrade Airflow to version 3.0.4 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-54831.

In Liferay Portal versions 7.4.0 through 7.4.3.112, and Liferay DXP versions 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92 a medium severity vulnerability CVE-2025-43807 was detected. This vulnerability allows a remote attacker to inject arbitrary web script or HTML via a crafted payload injected into a publication’s “Name” text field in the notifications widget. To address this issue, users should upgrade Liferay Portal to version 7.4.3.113 and Liferay DXP to versions 2024.Q2.0, 2024.Q1.1 or 2023.Q4.9. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43807.

In Ashlar-Vellum Graphite version 13_SE_13048 a high severity vulnerability CVE-2025-7981 was detected. This vulnerability allows remote attackers to execute arbitrary code on affected installations by exploiting uninitialized memory during VC6 file parsing when a user opens a malicious file. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-7981.

In Ashlar-Vellum Graphite version 13_SE_13048 a high severity vulnerability CVE-2025-7980 was detected. This vulnerability allows remote attackers to execute arbitrary code on affected installations by exploiting improper validation of user-supplied data in a VC6 file, which can result in an out-of-bounds write when a user opens a malicious file. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-7980.

In Ashlar-Vellum Graphite version 13_SE_13048 a high severity vulnerability CVE-2025-7979 was detected. This vulnerability allows remote attackers to execute arbitrary code on affected installations by exploiting improper validation of the length of user-supplied data during VC6 file parsing, which can result in a stack-based buffer overflow when a user opens a malicious file. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-7979.

In Liferay Portal versions 7.4.0 through 7.4.3.112, and Liferay DXP versions 2023.Q4.0 through 2023.Q4.7, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92 a medium severity vulnerability CVE-2025-43806 was detected. This vulnerability allows an authenticated attacker to access exported data via the REST APIs due to a permission check flaw. To address this issue, users should upgrade Liferay Portal to version 7.4.3.113 and Liferay DXP to versions 2024.Q2.0, 2024.Q1.1 or 2023.Q4.8. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43806.

In Kibana versions 9.0.0 up to and including 9.0.5 and versions 9.1.0 up to and including 9.1.2 a medium severity vulnerability CVE-2025-25010 was detected. This vulnerability allows an attacker to escalate privileges via the reporting_user role, which can access all Kibana Spaces. To address this issue, users should upgrade Kibana to versions 9.0.6 or 9.1.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-25010.