Security

In Vault Community Edition versions prior to 1.19.3, and in Vault Enterprise versions from 0.3.0 up to 1.19.2, 1.18.8, 1.17.15 and 1.16.19 a medium severity vulnerability CVE-2025-4166 was detected. This vulnerability allows attackers to unintentionally expose sensitive information in server and audit logs when submitting malformed payloads via the REST API during secret creation or updates. To address this issue, users should upgrade Vault Community to versions 1.19.3 or Vault Enterprise to versions 1.19.3, 1.18.9, 1.17.16 or 1.16.20. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4166.

In Vault Community Edition versions from 0.10.0 up to 1.19.0, and Vault Enterprise from 0.10.0 up to 1.19.0, 1.18.6, 1.17.13 and 1.16.17 a medium severity vulnerability CVE-2025-3879 was detected. This vulnerability allows attackers to bypass the `bound_locations` parameter during login due to improper validation of claims in Azure-issued tokens within the Azure Auth method. To address this issue, users should upgrade Vault Community to versions 1.19.1 or Vault Enterprise to versions 1.19.1, 1.18.7, 1.17.14 or 1.16.18. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3879.

In Traefik versions prior to 2.11.24, 3.3.6 and 3.4.0-rc2 a high severity vulnerability CVE-2025-32431 was detected. This vulnerability allows attackers to bypass middleware chains by exploiting path matchers (PathPrefix, Path, or PathRegex) when a request URL contains `/../`, potentially targeting unintended backends. To address this issue, users should upgrade Traefik to versions 2.11.24, 3.3.6 or 3.4.0-rc2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-32431.

In OpenVPN versions 2.6.1 through 2.6.13 a high severity vulnerability CVE-2025-2704 was detected. This vulnerability allows remote attackers to trigger a denial of service by corrupting and replaying network packets during the early TLS-crypt-v2 handshake phase when OpenVPN is operating in server mode. To address this issue, users should upgrade OpenVPN to versions 2.6.14 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2704.

In Open Webui versions 0.3.8 a critical severity vulnerability CVE-2024-7053 was detected. This vulnerability allows an attacker with a user-level account to hijack an administrator’s session by exploiting weak session cookie settings, enabling account takeover and potentially remote code execution (RCE) through a malicious image embedded in a chat that steals the admin’s session cookie. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-7053.

In Open Webui versions 0.3.32 a high severity vulnerability CVE-2024-12537 was detected. This vulnerability allows any unauthenticated attacker to access the api/v1/utils/code/format endpoint. If a malicious actor sends a POST request with excessive content, the server could become unresponsive or experience significant performance degradation, potentially causing service interruptions for legitimate users. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-12537.

In Authentik versions prior to 2024.12.4 and 2025.2.3 a high severity vulnerability CVE-2025-29928 was detected. When configured to use database session storage, deleting sessions via the Web Interface or API did not revoke access, allowing session holders to remain authenticated. To address this issue, users should upgrade Authentik to versions 2024.12.4 or 2025.2.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-29928.

In Appsmith versions before 1.51 a medium severity vulnerability CVE-2024-55965 was detected. This vulnerability allows attackers with “App Viewer” access to view development information in a workspace, specifically a list of datasources in that workspace. To address this issue, users should upgrade Appsmith to versions 1.51 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-55965.

In Appsmith versions before 1.52 a critical severity vulnerability CVE-2024-55964 was detected. This vulnerability allows attackers to execute remote commands inside the Appsmith Docker container due to an incorrectly configured PostgreSQL instance, requiring the attacker to access Appsmith, log in, create a datasource, create a query, and execute that query. To address this issue, users should upgrade Appsmith to versions 1.52 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-55964.