In the Zakra theme for WordPress versions up to and including 4.1.5 a medium severity vulnerability CVE-2025-8595 was detected. This vulnerability allows authenticated attackers with Subscriber-level access or higher to modify data by importing demo settings, due to a missing capability check in the welcome_notice_import_handler() function. To address this issue, users should upgrade Zakra theme to version 4.1.6 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-8595.
In WP Easy Contact plugin for WordPress versions up to and including 4.0.1 a medium severity vulnerability CVE-2025-8315 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts via the ‘noaccess_msg’ parameter due to insufficient input sanitization and output escaping. To address this issue, users should upgrade WP Easy Contact plugin to versions 4.0.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-8315.
Read more CMS
In Campus Directory plugin for WordPress versions up to and including 1.9.1 a medium severity vulnerability CVE-2025-8313 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts via the ‘noaccess_msg’ parameter due to insufficient input sanitization and output escaping. To address this issue, users should upgrade Campus Directory plugin to versions 1.9.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-8313.
Read more CMS
In Employee Directory plugin for WordPress versions up to and including 4.5. a medium severity vulnerability CVE-2025-8295 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts via the ‘noaccess_msg’ parameter due to insufficient input sanitization and output escaping. To address this issue, users should upgrade Employee Directory plugin to versions 4.5.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-8295.
Read more CMS
In Liferay Portal versions 7.4.3.61 through 7.4.3.132, and Liferay DXP versions 2024.Q4.1 through 2024.Q4.5, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.13, and 7.4 update 61 through update 92 a low severity vulnerability CVE-2025-4599 was detected. This vulnerability allows remote unauthenticated attackers to inject JavaScript into the fragment portlet URL via the fragment preview functionality, leading to postMessage-based Cross-Site Scripting (XSS). To address this issue, users should upgrade Liferay Portal to master branch and Liferay DXP to versions 2024.Q1.14, 2024.Q4.6 or 2025.Q1.0 For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4599.
Read more CMS
In Vault and Vault Enterprise versions prior to 1.20.1 (Community Edition), 1.19.7, 1.18.12 and 1.16.23 (Enterprise Edition) a medium severity vulnerability CVE-2025-6004 was detected. This vulnerability allows attackers to bypass the user lockout feature for Userpass and LDAP authentication methods. To address this issue, users should upgrade Vault Community Edition to versions 1.20.1 or Vault Enterprise to versions 1.20.1, 1.19.7, 1.18.12 or 1.16.23. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-6004.
Read more Security
In Vault and Vault Enterprise versions prior to 1.20.1 (Community Edition), 1.19.7, 1.18.12 and 1.16.23 (Enterprise Edition) a critical severity vulnerability CVE-2025-6000 was detected. This vulnerability allows a privileged Vault operator within the root namespace with write permission to {{sys/audit}} to execute arbitrary code on the underlying host if a plugin directory is configured. To address this issue, users should upgrade Vault Community Edition to versions 1.20.1 or Vault Enterprise to versions 1.20.1, 1.19.7, 1.18.12 or 1.16.23. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-6000.
Read more Security
In Vault and Vault Enterprise versions prior to 1.20.0 (Community Edition), 1.20.0, 1.19.6, 1.18.11 and 1.16.22 (Enterprise Edition) a high severity vulnerability CVE-2025-5999 was detected. This vulnerability allows a privileged Vault operator with write permissions to the root namespace’s identity endpoint to escalate their own or another user’s token privileges to Vault’s root policy. To address this issue, users should upgrade Vault Community Edition to versions 1.20.0 or Vault Enterprise to versions 1.20.0, 1.19.6, 1.18.11 or 1.16.22. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-5999.
Read more Security
In Traefik versions 2.11.27 and below, 3.0.0 through 3.4.4 and 3.5.0-rc1 a critical severity vulnerability CVE-2025-54386 was detected. This vulnerability allows attackers to upload malicious ZIP archives containing path traversal sequences, enabling arbitrary file overwrites outside the intended plugin directory and potentially leading to remote code execution, privilege escalation, persistence, or denial of service. To address this issue, users should upgrade Traefik to versions 2.11.28, 3.4.5 or 3.5.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-54386.
Read more Security