In NGINX Open Source and NGINX Plus versions prior to 1.6.1 and built with ngx_mail_smtp_module and configured with smtp_auth method “none,” a medium severity vulnerability CVE-2025-53859 was detected. This vulnerability allows attackers to over-read the NGINX SMTP authentication process memory, potentially leaking arbitrary bytes sent in a request to the authentication server. To fix this issue, users upgrade NGINX to version 1.6.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-53859.
Read more Application DevelopmentIn Kanboard versions prior to 1.2.47 a medium severity vulnerability CVE-2025-55011 was detected. This vulnerability allows attackers to write files anywhere on the system the application user controls due to missing validation of the task_id parameter and lack of path traversal checks in the createTaskFile API method. To address this issue users should upgrade Kanboard to version 1.2.47 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-55011.
Read more Project ManagementIn Kanboard versions prior to 1.2.47 a critical severity vulnerability CVE-2025-55010 was detected. This vulnerability allows attackers with admin access to achieve remote code execution by exploiting unsafe deserialization in the ProjectEventActivityFormatter via the event[“data”] field in the project_activities table, potentially writing a web shell to the /plugins folder. To address this issue, users should upgrade Kanboard to version 1.2.47 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-55010.
Read more Project ManagementIn Liferay Portal verions 7.4.0 through 7.4.3.132, and Liferay DXP versions 2025.Q1.0 through 2025.Q1.10, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 GA through update 92 a medium severity vulnerability CVE-2025-43734 was detected. This vulnerability allows remote authenticated attackers to inject JavaScript code into the “first display label” field of a custom sort widget, which is then reflected and executed by the clay button taglib when the page is refreshed. To address this issue, users should upgrade Liferay Portal to master branch and Liferay DXP to versions 2025.Q2.0, 2025.Q1.11 or 2024.Q1.17. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43734.
Read more CMSIn SuiteCRM version 7.14.6 a low severity vulnerability CVE-2025-54787 was detected. This vulnerability allows unauthenticated attackers to download files from the upload directory if the file is named by a valid ID, potentially exposing sensitive internal files. To address this issue, users should upgrade SuiteCRM to versions 7.14.7 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-54787.
Read more CRMIn SuiteCRM versions 7.14.0 through 7.14.6 a medium severity vulnerability CVE-2025-54784 was detected. This vulnerability allows attackers to execute arbitrary actions as a logged-in user by sending a crafted email that triggers a Cross-Site Scripting (XSS) payload when viewed in the email viewer, potentially leading to data theft or full instance takeover. To address this issue, users should upgrade SuiteCRM to versions 7.14.7 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-54784.
Read more CRMIn Liferay Portal versions 7.4.0 through 7.4.3.131 and Liferay DXP versions 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, and 7.4 GA through update 9 a medium severity vulnerability CVE-2025-43735 was detected. This vulnerability allows remote unauthenticated attackers to inject malicious JavaScript into the google_gadget component via reflected cross-site scripting (XSS). To address this issue, users should upgrade Liferay Portal to versions 7.4.3.132 and Liferay DXP to versions 2024.Q1.13 or 2025.Q1.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43735.
Read more CMSIn Liferay Portal versions 7.4.3.0 through 7.4.3.132 and Liferay DXP versions 2025.Q1.0 through 2025.Q1.8, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16, and 7.4 GA through update 92 a medium severity vulnerability CVE-2025-43736 was detected. This vulnerability allows users to upload profile pictures exceeding the intended 300KB limit, potentially causing performance degradation and denial of service (DoS) conditions. To address this issue, users should upgrade Liferay Portal to master branch and Liferay DXP to versions 2025.Q2.0, 2025.Q1.9 or 2024.Q1.17. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43736.
Read more CMSIn AnWP Football Leagues plugin for WordPress versions up to and including 0.16.17 a vulnerability CVE-2025-8767 was detected. This vulnerability allows authenticated attackers with Administrator-level access and above to perform CSV injection via the ‘download_csv_players’ and ‘download_csv_games’ functions. This can result in code execution when the exported CSV files are opened on a local system with a vulnerable configuration. To address this issue, users should upgrade AnWP Football Leagues plugin to versions 0.16.18 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-8767.
Read more CMS