Security

In OpenVPN versions 2.6.1 through 2.6.13 a high severity vulnerability CVE-2025-2704 was detected. This vulnerability allows remote attackers to trigger a denial of service by corrupting and replaying network packets during the early TLS-crypt-v2 handshake phase when OpenVPN is operating in server mode. To address this issue, users should upgrade OpenVPN to versions 2.6.14 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2704.

In Open Webui versions 0.3.32 a high severity vulnerability CVE-2024-12537 was detected. This vulnerability allows any unauthenticated attacker to access the api/v1/utils/code/format endpoint. If a malicious actor sends a POST request with excessive content, the server could become unresponsive or experience significant performance degradation, potentially causing service interruptions for legitimate users. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-12537.

In Open Webui versions 0.3.8 a critical severity vulnerability CVE-2024-7053 was detected. This vulnerability allows an attacker with a user-level account to hijack an administrator’s session by exploiting weak session cookie settings, enabling account takeover and potentially remote code execution (RCE) through a malicious image embedded in a chat that steals the admin’s session cookie. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-7053.

In Authentik versions prior to 2024.12.4 and 2025.2.3 a high severity vulnerability CVE-2025-29928 was detected. When configured to use database session storage, deleting sessions via the Web Interface or API did not revoke access, allowing session holders to remain authenticated. To address this issue, users should upgrade Authentik to versions 2024.12.4 or 2025.2.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-29928.

In Appsmith versions before 1.51 a medium severity vulnerability CVE-2024-55965 was detected. This vulnerability allows attackers with “App Viewer” access to view development information in a workspace, specifically a list of datasources in that workspace. To address this issue, users should upgrade Appsmith to versions 1.51 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-55965.

In Appsmith versions before 1.52 a critical severity vulnerability CVE-2024-55964 was detected. This vulnerability allows attackers to execute remote commands inside the Appsmith Docker container due to an incorrectly configured PostgreSQL instance, requiring the attacker to access Appsmith, log in, create a datasource, create a query, and execute that query. To address this issue, users should upgrade Appsmith to versions 1.52 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-55964.

In Appsmith versions before 1.51 a medium severity vulnerability CVE-2024-55963 was detected. This vulnerability allows users without admin permissions to trigger the restart API on Appsmith, causing a denial of service by repeatedly restarting the server due to incorrect access control checks that should verify superuser permissions before processing the request. To address this issue, users should upgrade Appsmith to versions 1.51 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-55963.

In Wazuh versions starting from 4.4.0 and prior to 4.9.1 a high severity vulnerability CVE-2025-24016 was detected. This vulnerability allows attackers to execute malicious code on Wazuh servers by exploiting a flaw in how data is processed, potentially compromising the server. To fix this issue users should upgrade Wazuh to version 4.9.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2025-24016.

In Authentik versions before 2024.10.4 a medium severity vulnerability CVE-2024-11623 was detected. This vulnerability allows authenticated admin users to upload crafted SVG files, which can lead to stored XSS attacks through the application icons. To address this issue, users should upgrade Authentik to version 2024.10.4 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-11623.