Our news and updates

In Traefik versions 2.11.27 and below, 3.0.0 through 3.4.4 and 3.5.0-rc1 a critical severity vulnerability CVE-2025-54386 was detected. This vulnerability allows attackers to upload malicious ZIP archives containing path traversal sequences, enabling arbitrary file overwrites outside the intended plugin directory and potentially leading to remote code execution, privilege escalation, persistence, or denial of service. To address this issue, users should upgrade Traefik to versions 2.11.28, 3.4.5 or 3.5.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-54386.

In Vault and Vault Enterprise versions prior to 1.20.1 (Community Edition), 1.19.7, 1.18.12 and 1.16.23 (Enterprise Edition) a medium severity vulnerability CVE-2025-6037 was detected. This vulnerability allows attackers to craft malicious certificates to impersonate other users when a non-CA certificate is used as a trusted certificate in the TLS auth method. To address this issue, users should upgrade Vault Community Edition to version 1.20.1 or Vault Enterprise to versions 1.20.1, 1.19.7, 1.18.12 or 1.16.23. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-6037.

In Vault and Vault Enterprise versions prior to 1.20.1 (Community Edition), 1.19.7, 1.18.12 and 1.16.23 (Enterprise Edition) a medium severity vulnerability CVE-2025-6015 was detected. This vulnerability allows attackers to bypass login MFA rate limits and reuse TOTP codes, potentially weakening authentication security. To address this issue, users should upgrade Vault Community Edition to version 1.20.1 or Vault Enterprise to versions 1.20.1, 1.19.7, 1.18.12 or 1.16.23. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-6015.

In Vault and Vault Enterprise versions prior to 1.20.1 (Community Edition), 1.19.7, 1.18.12 and 1.16.23 (Enterprise Edition) a medium severity vulnerability CVE-2025-6014 was detected. This vulnerability allows attackers to reuse TOTP codes within their validity period, potentially bypassing intended security controls. To address this issue, users should upgrade Vault Community Edition to version 1.20.1 or Vault Enterprise to versions 1.20.1, 1.19.7, 1.18.12 or 1.16.23. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-6014.

In Service Finder SMS System plugin for WordPress versions up to and including 2.0.0 a critical severity vulnerability CVE-2025-5954 was detected. This vulnerability allows unauthenticated attackers to escalate privileges and register as administrator users due to the plugin not restricting user role selection during registration via the aonesms_fn_savedata_after_signup() function. To address this issue, users should upgrade Service Finder SMS System plugin to versions 3.0.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-5954.

In Service Finder Bookings plugin for WordPress versions up to and including 6.0 a critical severity vulnerability CVE-2025-5947 was detected. This vulnerability allows unauthenticated attackers to escalate privileges and log in as any user, including administrators, due to improper validation of user cookie values in the service_finder_switch_back() function. To address this issue, users should upgrade Service Finder Bookings plugin to versions 6.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-5947.

In SureForms plugin for WordPress versions prior to 1.7.2 a medium severity vulnerability CVE-2025-5921 was detected. This vulnerability allows both authenticated and unauthenticated attackers to execute reflected Cross-Site Scripting (XSS) attacks due to insufficient sanitization and escaping of user-supplied input. To address this issue, users should upgrade SureForms plugin to versions 1.7.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-5921.

In Ansible Automation Platform a medium severity vulnerability CVE-2025-7738 was detected. This vulnerability allows administrators or auditors to view GitHub Enterprise authenticator client secrets in clear text via the Gateway API, increasing the risk of accidental leaks or misuse. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-7738.

In Kimai versions 0.9.2.beta, 0.9.2.1294.beta and 0.9.2.1306-3 a critical severity vulnerability CVE-2013-10033 was detected. This vulnerability allows unauthenticated attackers to perform SQL injection via the db_restore.php endpoint’s dates[] POST parameter, which under certain conditions can be exploited to write arbitrary files and achieve remote code execution. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2013-10033.