In Node.js versions 4.0 prior to 20.19.4, 22 prior to 22.17.1, 24 prior to 24.4.1 a medium severity vulnerability CVE-2025-27210 was detected affecting the path.join API on Windows systems. This vulnerability allows unauthenticated attackers to exploit reserved Windows device names such as CON, PRN, and AUX due to an incomplete fix for CVE-2025-23084, potentially causing unexpected behavior or security issues on affected systems. To address this issue, users should upgrade Node.js to versions 20.19.4, 22.17.1 or 24.4.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-27210.
Read more Application Development
In WPLMS theme for WordPress versions 1.5.2 to 1.8.4.1 a high severity vulnerability CVE-2015-10139 was detected. This vulnerability allows authenticated attackers to escalate privileges by exploiting the unprotected wp_ajax_import_data AJAX action, enabling them to modify restricted settings and potentially create a new administrator account. To address this issue, users should upgrade WPLMS theme to versions 1.9 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2015-10139.
Read more CMS
In Work The Flow File Upload plugin for WordPress versions up to and including 2.5.2 a critical severity vulnerability CVE-2015-10138 was detected. This vulnerability allows unauthenticated attackers to upload arbitrary files due to missing file type validation in the jQuery-File-Upload-9.5.0 server and test files, potentially leading to remote code execution. To address this issue, users should upgrade Work The Flow File Upload plugin to versions 2.5.3 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2015-10138.
Read more CMS
In WP Mobile Detector plugin for WordPress versions up to and including 3.5 a critical severity vulnerability CVE-2016-15043 was detected. This vulnerability allows unauthenticated attackers to upload arbitrary files due to missing file type validation in the resize.php file, potentially leading to remote code execution. To address this issue, users should upgrade WP Mobile Detector plugin to versions 3.6 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2016-15043.
Read more CMS
In GI-Media Library plugin for WordPress versions prior to 3.0 a high severity vulnerability CVE-2015-10136 was detected. This vulnerability allows unauthenticated attackers to read the contents of arbitrary files on the server via directory traversal using the fileid parameter, potentially exposing sensitive information. To address this issue, users should upgrade GI-Media Library plugin to version 3.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2015-10136.
Read more CMS
In Grafana versions 11.5.0 and later a medium severity vulnerability CVE-2025-6197 was detected. This vulnerability allows attackers to perform open redirects during organization switching when multiple organizations exist and the victim belongs to a different organization than the one specified in the URL. To address this issue users should upgrade Grafana to versions 12.0.2+security-01, 11.6.3+security-01, 11.5.6+security-01, 11.4.6+security-01 or 11.3.8+security-01. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-6197.
Read more Data Analytics
In Grafana versions from 11.5.0 a high severity vulnerability CVE-2025-6023 was detected. This vulnerability allows attackers to exploit an open redirect that can be chained with path traversal issues to perform cross-site scripting (XSS) attacks. To address this issue, users should upgrade Grafana to versions 12.0.2+security-01, 11.6.3+security-01, 11.5.6+security-01, 11.4.6+security-01 or 11.3.8+security-01. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-6023.
Read more Data Analytics
In Mattermost versions 10.8.x up to 10.8.1, 10.7.x up to 10.7.3, 10.5.x up to 10.5.7 and 9.11.x up to 9.11.16 a medium severity vulnerability CVE-2025-6233 was detected. This vulnerability allows system administrators to read arbitrary system files via path traversal due to improper sanitization of file attachment input paths in the bulk import JSONL file. To address this issue, users should upgrade Mattermost to versions 10.9.0, 10.8.2, 10.7.4, 10.5.8, 9.11.17 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-6233.
Read more Communication
In Mattermost versions 10.5.x up to 10.5.7 and 9.11.x up to 9.11.16 a low severity vulnerability CVE-2025-6227 was detected. This vulnerability allows an attacker who intercepts both the invite and password to send synchronization payloads to the server via the REST API due to failure to negotiate a new token when accepting the invite. To address this issue, users should upgrade Mattermost to versions 10.9.0, 10.5.8, 9.11.17 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-6227.
Read more Communication