In vLLM versions prior to 0.11.1 a high severity vulnerability CVE-2025-66448 was detected. This vulnerability allows attackers to achieve remote code execution by abusing the auto_map field in model configuration files, causing vLLM to fetch and execute Python code from a remote repository even when trust_remote_code=False is set, enabling an attacker to execute arbitrary malicious code on the host by publishing a crafted model repository. To address this issue, users should upgrade vLLM to version 0.11.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-66448.
Read more Machine Learning
In MongoDB Server versions prior to 7.0.28, 8.0.17, 8.2.3, 6.0.27, 5.0.32, 4.4.30, and versions greater than or equal to 4.2.0, 4.0.0, and 3.6.0 a high severity vulnerability CVE-2025-14847 was detected. This vulnerability may allow an unauthenticated client to read uninitialized heap memory due to mismatched length fields in Zlib compressed protocol headers. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-14847.
Read more Database
In Elasticsearch versions 7.0.0-alpha1 and prior, prior to 8.19.8, 9.0.0-beta1 and prior, prior to 9.1.8, 9.2.0 and prior, 9.2.1 and prior a medium severity vulnerability CVE-2025-68390 was detected. This vulnerability is caused by allocation of resources without limits or throttling (CWE-770), allowing an authenticated user with snapshot restore privileges to trigger excessive memory allocation through a crafted HTTP request, resulting in a denial of service (DoS). To address this issue, users should upgrade Elasticsearch to versions 8.19.8, 9.1.8 and 9.2.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-68390.
Read more Data Analytics
In Elasticsearch versions 7.0.0-alpha1 and prior, prior to 8.19.8, 9.0.0-beta1 and prior, prior to 9.1.8, 9.2.0 and prior, 9.2.2 a medium severity vulnerability CVE-2025-68384 was detected. This vulnerability stems from allocation of resources without limits or throttling (CWE-770), allowing a low-privileged authenticated user to trigger excessive memory allocation by submitting oversized user settings data, resulting in a persistent denial of service (OOM crash). To address this issue, users should upgrade Elasticsearch to versions 8.19.9, 9.1.9 and 9.2.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-68384.
Read more Data Analytics
In MariaDB versions affected by CVE-2025-13699 a medium severity vulnerability was detected. This vulnerability allows remote attackers to execute arbitrary code via the mariadb-dump utility due to improper validation of user-supplied paths in view names, enabling directory traversal and code execution in the context of the current user. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-13699.
Read more Database
In Kibana versions 7.0.0-alpha1 and prior, from 8.0.0 up to and including 8.19.7, from 9.0.0 up to and including 9.1.7, from 9.2.0 up to and including 9.2.1 a medium severity vulnerability CVE-2025-68386 was detected. This vulnerability is caused by improper authorization (CWE-285), allowing an authenticated attacker to escalate privileges by changing a document’s sharing type to “global” through a crafted HTTP request, even without the required permissions, thereby making the document visible to all users within the space. To address this issue, users should upgrade Kibana to versions 8.19.8, 9.1.8 and 9.2.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-68386.
Read more Data Analytics
In Kibana versions 7.0.0-alpha1 and prior, from 8.0.0 up to and including 8.19.8, from 9.0.0 up to and including 9.1.8, from 9.2.0 up to and including 9.2.2 a high severity vulnerability CVE-2025-68385 was detected. This vulnerability allows authenticated attackers to perform cross-site scripting (XSS) by embedding malicious scripts into content served to users’ web browsers, due to improper neutralization of input during web page generation in a Vega method that bypasses a previous XSS mitigation. To address this issue, users should upgrade Kibana to versions 8.19.9, 9.1.9 and 9.2.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-68385.
Read more Data Analytics
In Kibana versions 7.0.0-alpha1 and prior, from 8.0.0 up to and including 8.19.6, from 9.0.0 up to and including 9.1.6, and 9.2.0 a medium severity vulnerability CVE-2025-68422 was detected. This vulnerability results from improper authorization (CWE-285) and allows an authenticated user to bypass intended permission restrictions via a crafted HTTP request, enabling access to the list of live queries without having the required live queries – read permission. To address this issue, users should upgrade Kibana to versions 8.19.7, 9.1.7 and 9.2.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-68422.
Read more Data Analytics
In Filebeat versions 7.0.0-alpha1 and prior, from 8.0.0 up to and including 8.19.8, from 9.0.0 up to and including 9.1.8, from 9.2.0 up to and including 9.2.2 a medium severity vulnerability CVE-2025-68383 was detected. This vulnerability stems from improper validation of specified index, position, or offset in input (CWE-1285) within the Syslog parser and the Libbeat Dissect processor, allowing a user to trigger a buffer overflow and cause a denial-of-service (panic/crash) of the Filebeat process via a malformed Syslog message or a malicious tokenizer pattern in the Dissect configuration. To address this issue, users should upgrade Filebeat to versions 8.19.9, 9.1.9 and 9.2.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-68383.
Read more Data Analytics