In GitLab CE/EE versions from 10.7 before 17.11.5, 18.0 before 18.0.3 and 18.1 before 18.1.1 a medium severity vulnerability CVE-2025-3279 was detected. This vulnerability allows authenticated attackers to create a denial-of-service (DoS) condition by sending specially crafted GraphQL requests. To address this issue, users should upgrade GitLab CE/EE to versions 17.11.5, 18.0.3 or 18.1.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3279.
Read more Developer Tools
In GitLab CE/EE versions from 17.2 before 17.11.5, 18.0 before 18.0.3 and 18.1 before 18.1.1 a medium severity vulnerability CVE-2025-5315 was detected. This vulnerability allows authenticated users with Guest role permissions to add child items to incident work items by sending crafted API requests that bypass UI-enforced role restrictions. To address this issue, users should upgrade GitLab CE/EE to versions 17.11.5, 18.0.3 or 18.1.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-5315.
Read more Developer Tools
In GitLab EE versions from 16.10 before 17.11.5, 18.0 before 18.0.3 and 18.1 before 18.1.1 a low severity vulnerability CVE-2025-5846 was detected. This vulnerability allows authenticated users to assign unrelated compliance frameworks to projects by sending crafted GraphQL mutations that bypass framework-specific permission checks. To address this issue, users should upgrade GitLab EE to versions 17.11.5, 18.0.3 or 18.1.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-5846.
Read more Developer Tools
In Vault Community and Vault Enterprise versions prior to 1.20.0 a low severity vulnerability CVE-2025-4656 was detected. This vulnerability allows Vault operators to trigger denial-of-service (DoS) conditions by cancelling rekey or recovery key operations without proper control. To address this issue, users should upgrade Vault Community Edition to versions 1.20.0, Vault Enterprise to versions 1.20.0, 1.19.6, 1.18.11, 1.17.17 or 1.16.22. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4656.
Read more Security
In Kibana versions up to and including 7.17.28, 8.0.0 up to and including 8.17.7, 8.18.0 up to and including 8.18.2 and 9.0.0 up to and including 9.0.2 a medium severity vulnerability CVE-2025-25012 was detected. This vulnerability allows attackers to redirect users to untrusted sites and potentially perform server-side request forgery (SSRF) via specially crafted URLs. To address this issue, users should upgrade Kibana to versions 7.17.29, 8.17.8, 8.18.3 or 9.0.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-25012.
Read more Data Analytics
In Kanboard versions 1.2.45 and prior a medium severity vulnerability CVE-2025-52576 was detected. This vulnerability allows attackers to enumerate valid usernames and bypass IP-based brute-force protection mechanisms such as Fail2Ban or CAPTCHA by abusing trusted HTTP headers and analyzing login behavior. This puts user accounts at higher risk of credential stuffing and brute-force attacks. To address this issue, users should upgrade Kanboard to version 1.2.46. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-52576.
Read more Project Management
In Umbraco versions 10.0.0 through 10.8.10 and 13.0.0 through 13.9.1 a medium severity vulnerability CVE-2025-49147 was detected. This vulnerability allows unauthenticated attackers to access limited information about the configured password requirements via an anonymous endpoint, which could aid brute-force attacks. To address this issue, users should upgrade Umbraco to versions 10.8.11 or 13.9.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-49147.
Read more CMS
In Discourse versions prior to 3.4.6 (stable) and 3.5.0.beta8-dev (tests-passed) a medium severity vulnerability CVE-2025-49845 was detected. This vulnerability allows users to continue viewing their own whisper posts even after losing group-based permission to view such content. To address this issue, users should upgrade Discourse to versions 3.4.6 or later (stable), 3.5.0.beta8-dev (tests-passed). For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-49845.
Read more Communication
In Gogs versions prior to 0.13.3 a critical severity vulnerability CVE-2024-56731 was detected. This vulnerability allows unprivileged users to delete files under the .git directory and execute arbitrary commands with the privileges of the configured RUN_USER, enabling remote command execution and unauthorized modification of other users’ code hosted on the same instance. To address this issue, users should upgrade to versions 0.13.3 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-56731.
Read more Developer Tools