In GitLab EE versions from 17.0 before 18.0.5, 18.1 before 18.1.3 and 18.2 before 18.2.1 a medium severity vulnerability CVE-2025-4976 was discovered. This vulnerability, under certain circumstances, could allow an attacker to access internal notes included in GitLab Duo responses. To address this issue, users should upgrade GitLab EE to versions 18.0.5, 18.1.3 and 18.2.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4976.
Read more Developer Tools
In GitLab CE/EE versions from 15.10 before 18.0.5, 18.1 before 18.1.3 and 18.2 before 18.2.1 a high severity vulnerability CVE-2025-4700 was discovered. This vulnerability, under specific circumstances, could have potentially allowed a successful attacker to trigger unintended content rendering, leading to Cross-Site Scripting (XSS). To address this issue, users should upgrade GitLab CE/EE to versions 18.0.5, 18.1.3 and 18.2.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4700.
Read more Developer Tools
In GitLab CE/EE versions from 15.10 before 18.0.5, 18.1 before 18.1.3 and 18.2 before 18.2.1 a high severity vulnerability CVE-2025-4439 was discovered. This vulnerability could have allowed an authenticated user to perform cross-site scripting (XSS) attacks when the GitLab instance is served through certain content delivery networks (CDNs). To address this issue, users should upgrade GitLab CE/EE to versions 18.0.5, 18.1.3 and 18.2.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4439.
Read more Developer Tools
In WordPress versions 3.5 through 6.8.2 a low severity vulnerability CVE-2025-54352 was identified. This vulnerability allows remote attackers to guess the titles of private and draft posts via pingback.ping XML-RPC requests, which can potentially lead to information disclosure. The WordPress supplier has chosen not to change this behavior. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-54352.
Read more CMS
In LibreNMS versions up to and including 25.6.0 a high severity vulnerability CVE-2025-54138 was discovered in the ajax_form.php endpoint. This vulnerability allows remote file inclusion based on user-controlled POST input, as the application directly uses the type parameter to dynamically include .inc.php files from the trusted includes/html/forms/ path without proper validation or allowlisting, introducing a Remote Code Execution (RCE) risk if an attacker can stage a file in that path—such as via symlinks, misconfigurations, or chained exploits. To address this issue, users should upgrade LibreNMS to versions 25.7.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-54138.
Read more CMS
In the YANewsflash plugin for WordPress versions up to and including 1.0.3 a medium severity vulnerability CVE-2025-6054 was detected. This vulnerability allows unauthenticated attackers to update settings and inject malicious web scripts via a forged request, if they can trick a site administrator into performing an action such as clicking a link. This is due to missing or incorrect nonce validation on the yanewsflash/yanewsflash.php page. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-6054.
Read more CMS
In the Social Streams plugin for WordPress versions up to and including 1.0.1 a high severity vulnerability CVE-2025-7722 was detected. This vulnerability allows authenticated users with Subscriber-level access or higher to escalate privileges to administrator by exploiting missing identity validation in the update_user_meta() function. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-7722.
Read more CMS
In the Omnishop plugin for WordPress versions up to and including 1.0.9 a medium severity vulnerability CVE-2025-6215 was detected. This vulnerability lets unauthenticated attackers create customer accounts despite registration being disabled, by exploiting a publicly exposed /users/register endpoint that bypasses permission checks and calls wp_create_user() directly. The issue remains unfixed as of the latest version. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-6215.
Read more CMS
In the Orion Login with SMS plugin for WordPress versions up to and including 1.0.5 a high severity vulnerability CVE-2025-7692 was detected. This vulnerability allows unauthenticated attackers to log in as other users, including administrators, if they have access to their phone number, due to the olws_handle_verify_phone() function using a weak OTP value, exposing the hash used to generate it, and lacking restrictions on OTP submission attempts. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-7692.
Read more CMS