In Mattermost versions 10.5.x <= 10.5.8 and 9.11.x <= 9.11.17 a low severity vulnerability CVE-2025-53971 was detected. This vulnerability allows a Team Admin to demote a Team Member to a Guest via the PUT /api/v4/teams/team-id/members/user-id/schemeRoles API endpoint. To address this issue, users should upgrade Mattermost to versions 10.10.0, 10.5.9, 9.11.18 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-53971.
Read more Communication
In Liferay Portal versions 7.4.3.120 through 7.4.3.132, and Liferay DXP versions 2025.Q2.0 through 2025.Q2.8, 2025.Q1.0 through 2025.Q1.15, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13 and 2024.Q1.9 through 2024.Q1.19 a medium severity vulnerability CVE-2025-43740 was detected. This vulnerability allows an authenticated attacker to inject JavaScript through the message boards feature available via the web interface. To address this issue, users should upgrade Liferay Portal to master branch and Liferay DXP to versions 2025.Q1.6 or 2025.Q2.9. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43740.
Read more E-commerce
In Liferay Portal versions 7.4.0 through 7.4.3.132, and Liferay DXP versions 2025.Q1.0 through 2025.Q1.6, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 GA through update 92 a medium severity vulnerability CVE-2025-43739 was detected. This vulnerability allows an authenticated attacker to modify the content of emails sent through the calendar portlet, which enables them to send phishing emails to other users in the same organization. To address this issue, users should upgrade Liferay Portal to master branch and Liferay DXP to versions 2025.Q2.0 or 2025.Q1.7. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43739.
Read more E-commerce
In Liferay Portal versions 7.4.0 through 7.4.3.132, and Liferay DXP versions 2025.Q2.0 through 2025.Q2.8, 2025.Q1.0 through 2025.Q1.15, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.19 a medium severity vulnerability CVE-2025-43738 was detected. This vulnerability allows an authenticated attacker to inject JavaScript code via the _com_liferay_expando_web_portlet_ExpandoPortlet_displayType parameter. To address this issue, users should upgrade Liferay Portal to master branch and Liferay DXP to versions 2025.Q1.6 or 2025.Q2.9. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43738.
Read more E-commerce
In Liferay Portal versions 7.4.0 through 7.4.3.132, and Liferay DXP versions 2025.Q1.0 through 2025.Q1.3, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 a medium severity vulnerability CVE-2025-43742 was detected. This vulnerability allows attackers to inject JavaScript into web content for friendly URLs. To address this issue, users should upgrade Liferay Portal to master branch and Liferay DXP to versions 2024.Q1.15, 2025.Q1.4 or 2025.Q2.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43742.
Read more E-commerce
In PostgreSQL versions 13 through 17 a high severity vulnerability CVE-2025-8714 was detected. This vulnerability allows attackers to inject arbitrary code for restore-time execution as the client operating system account running psql via psql meta-commands. To address this issue, users should upgrade PostgreSQL to versions 13.22, 14.19, 15.14, 16.10 or 17.6. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-8714.
Read more Database
In Spring Framework MVC applications versions prior to 6.2.10 a medium severity vulnerability CVE-2025-41242 was detected. This vulnerability allows attackers to perform a “Path Traversal” attack on non-compliant Servlet containers. To address this issue, users should upgradeĀ org.springframework:spring-beansĀ to versions 6.2.10 or higher. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-41242.
Read more Application Development
In Liferay Portal and DXP versions 7.4.0 through 7.4.3.132 and 2025.Q2.0 through 2025.Q2.7 a medium severity vulnerability CVE-2025-43745 was detected. This vulnerability allows attackers to perform a cross-origin request on behalf of the authenticated user via the endpoint parameter. To address this issue, users should upgrade Liferay Portal to master branch and Liferay DXP to versions 2025.Q2.8 or 2025.Q1.16. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43745.
Read more CMS
In Liferay Portal and DXP versions 7.4.0 through 7.4.3.132 a high severity vulnerability CVE-2025-43744 was detected. This vulnerability allows attackers to inject arbitrary JavaScript via DDM structure field labels. To address this issue, users should upgrade Liferay Portal to master branch and Liferay DXP to versions 2025.Q2.6 or 2025.Q1.16. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43744.
Read more CMS