Data Management and Analytics

In GeoServer versions prior to 2.26.2 and 2.25.6 a medium severity vulnerability CVE-2024-38524 was detected. This vulnerability allows users to access potentially sensitive information via the `GeoWebCacheDispatcher.handleFrontPage` method, as there is no default mechanism to hide storage locations unless a specific system property is manually configured. To address this issue, users should upgrade GeoServer to versions 2.26.2 or 2.25.6. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-38524.

In GeoServer versions prior to 2.27.1, 2.26.3 and 2.25.7 a critical severity vulnerability CVE-2025-30220 was detected. This vulnerability allows attackers to exploit XML External Entity (XXE) injection due to improper use of the EntityResolver in the GeoTools Schema class, affecting XML parsing when external schemas are referenced. To address this issue, users should upgrade GeoServer to versions 2.27.1, 2.26.3 or 2.25.7. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-30220.

In GeoServer versions prior to 2.27.0, 2.26.3 and 2.25.7 a high severity vulnerability CVE-2025-30145 was detected. This vulnerability allows attackers to execute malicious Jiffle scripts as rendering transformations in WMS dynamic styles or WPS processes, potentially triggering an infinite loop and causing denial of service. To address this issue, users should upgrade GeoServer to versions 2.27.0, 2.26.3 or 2.25.7. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-30145.

In GeoServer versions prior to 2.26.3 and 2.25.6 a medium severity vulnerability CVE-2025-27505 was detected. This vulnerability allows attackers to bypass REST API access controls by appending file extensions (e.g., `.html`) to the `/rest` path, potentially disclosing information about installed extensions. To address this issue, users should upgrade GeoServer to versions 2.26.3 or 2.25.6. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-27505.

In Metabase versions 54.10 a medium severity vulnerability CVE-2025-5895 was detected. This vulnerability allows attackers to trigger inefficient regular expression complexity in the parseDataUri function (frontend/src/metabase/lib/dom.js), potentially leading to denial of service via remote exploitation. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-5895.

In Redash versions up to 10.1.0/25.1.0 a medium severity vulnerability CVE-2025-5874 was detected. This vulnerability allows attackers to exploit a sandbox issue in the run_query function (/query_runner/python.py) of the getattr Handler component, potentially leading to remote code execution. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-5874.

In Redis versions from 7.0.0 to before 8.0.2 a medium severity vulnerability CVE-2025-27151 was detected. This vulnerability allows attackers to trigger a stack-based buffer overflow in redis-check-aof by exploiting unsafe use of memcpy with user-supplied file paths, potentially leading to remote code execution. To address this issue, users should upgrade Redis to versions 8.0.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-27151.

In Grafana versions >= 11.2,>= 11.3, >= 11.4, >= 11.5, >= 11.6, >= 12.0 a high severity vulnerability CVE-2025-4123 was detected. This vulnerability allows attackers to redirect users to a malicious site hosting a plugin that executes arbitrary JavaScript, even without editor permissions, and is exploitable if anonymous access is enabled. To address this issue, users should update Grafana to versions 12.0.0+security-01, 11.6.1+security-01, 11.5.4+security-01, 11.4.4+security-01, 11.3.6+security-01, 11.2.9+security-01 or 10.4.18+security-01. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4123.

In Grafana OSS versions 12.0.0 up to 12.0.1, 11.6.1 up to 11.6.2, 11.5.4 up to 11.5.5 a medium severity vulnerability CVE-2025-3580 was detected. This access control flaw allows an Organization administrator to permanently delete a Server administrator account (if the Server admin is in the same organization or unassigned) potentially leaving the instance without any super-user and rendering it unmanageable. To address this issue, users should upgrade Grafana to versions 10.4.19, 11.2.10, 11.3.7, 11.4.5, 11.5.5, 11.6.2 or 12.0.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3580.