Data Management and Analytics

In NocoDB versions 0.257.9 and prior a medium severity vulnerability CVE-2025-27506 was detected. This vulnerability allows attackers to exploit a reflected Cross-Site Scripting (XSS) flaw in the /api/v1/db/auth/password/reset/:tokenId API endpoint due to the use of the insecure function “<%-" in the client-side template engine ejs, which is rendered by the function renderPasswordReset. To address this issue, users should upgrade NocoDB to versions 0.258.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-27506.

In Kibana versions 8.15.0 up to, but not including, 8.17.1 a critical severity vulnerability CVE-2025-25015 was detected. This vulnerability allows users with the Viewer role to achieve arbitrary code execution via a crafted file upload and specifically crafted HTTP requests. To address this issue, users should upgrade Kibana to version 8.17.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-25015.

In Metabase Enterprise Edition versions 1.47.0 and prior to 1.50.36, 1.51.14, 1.52.11, and 1.53.2 a medium severity vulnerability CVE-2025-27141 was detected. This allows users with impersonation permissions to access cached query results, even if they lack permission to view the data. To address this issue, users should upgrade to versions 1.50.36, 1.51.14, 1.52.11 or 1.53.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-27141.

In MySQL Server versions up to 9.1.0 a medium severity vulnerability CVE-2025-21567 was detected. This vulnerability allows a low-privileged attacker with network access via multiple protocols to compromise MySQL Server. To address this issue, users should upgrade to a version 9.2.0 or higher. For more details, visit https://avd.aquasec.com/nvd/2025/cve-2025-21567.

In Grafana versions prior to 11.5.0, 11.4.1, 11.3.3, 11.2.6, 11.1.11, 11.0.11 and 10.4.15 a medium severity vulnerability CVE-2024-11741 was detected. This vulnerability allows users with Viewer permissions to improperly access the Grafana Alerting VictorOps integration. To address this issue, users should upgrade Grafana to versions 11.5.0, 11.4.1, 11.3.3, 11.2.6, 11.1.11, 11.0.11 or 10.4.15. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-11741.

In phpMyAdmin versions from 5.0.0 before 5.2.2 a medium severity vulnerability CVE-2025-24530 was detected. This vulnerability allows attackers to execute cross-site scripting (XSS) by using a crafted table or database name. To address this issue, users should upgrade to version 5.2.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-24530.

In phpMyAdmin versions from 5.0.0 before 5.2.2 a medium severity vulnerability CVE-2025-24529 was detected. This vulnerability allows attackers to execute cross-site scripting (XSS) through the Insert tab. To address this issue, users should upgrade phpMyAdmin to version 5.2.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-24529.

In Kibana versions from 8.0.0 up to 8.15.0 a high severity vulnerability CVE-2024-43707 was detected. This vulnerability allows attackers to view Elastic Agent policies without proper access, potentially exposing sensitive information based on the integrations enabled and their versions. To address this issue, users should upgrade Kibana to versions 8.15.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-43707.

In Kibana versions from 8.7.0 up to 8.15.0 a medium severity vulnerability CVE-2024-43710 was detected. This vulnerability allows attackers to exploit the /api/fleet/health_check API to send server-side requests to internal endpoints, with the limitation that only HTTPS endpoints returning JSON data can be accessed. To address this issue, users should upgrade Kibana to versions 8.15.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-43710.