In Grafana versions from 11.5.0 a high severity vulnerability CVE-2025-6023 was detected. This vulnerability allows attackers to exploit an open redirect that can be chained with path traversal issues to perform cross-site scripting (XSS) attacks. To address this issue, users should upgrade Grafana to versions 12.0.2+security-01, 11.6.3+security-01, 11.5.6+security-01, 11.4.6+security-01 or 11.3.8+security-01. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-6023.
Read more Data AnalyticsIn Mattermost versions 10.8.x up to 10.8.1, 10.7.x up to 10.7.3, 10.5.x up to 10.5.7 and 9.11.x up to 9.11.16 a medium severity vulnerability CVE-2025-6233 was detected. This vulnerability allows system administrators to read arbitrary system files via path traversal due to improper sanitization of file attachment input paths in the bulk import JSONL file. To address this issue, users should upgrade Mattermost to versions 10.9.0, 10.8.2, 10.7.4, 10.5.8, 9.11.17 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-6233.
Read more CommunicationIn Mattermost versions 10.5.x up to 10.5.7 and 9.11.x up to 9.11.16 a low severity vulnerability CVE-2025-6227 was detected. This vulnerability allows an attacker who intercepts both the invite and password to send synchronization payloads to the server via the REST API due to failure to negotiate a new token when accepting the invite. To address this issue, users should upgrade Mattermost to versions 10.9.0, 10.5.8, 9.11.17 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-6227.
Read more CommunicationIn Mattermost versions 10.5.x up to 10.5.6, 10.8.x up to 10.8.1, 10.7.x up to 10.7.3 and 9.11.x up to 9.11.16 a medium severity vulnerability CVE-2025-6226 was detected. This vulnerability allows authenticated users to read posts in private channels without proper access by guessing PendingPostIDs of recently created posts due to missing authorization checks. To address this issue, users should upgrade Mattermost to versions 10.9.0, 10.5.8, 9.11.17 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-6226.
Read more CommunicationIn Directus versions 9.12.0 and above a medium severity vulnerability CVE-2025-53889 was detected. This vulnerability allows attackers to execute manual trigger Flows without authentication or proper access rights, potentially performing unauthorized actions on behalf of a user. To address this issue, users should upgrade Directus to version 11.9.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-53889.
Read more CMSIn Directus versions 9.0.0 and above a medium severity vulnerability CVE-2025-53887 was detected. This vulnerability allows attackers to obtain the exact Directus version via the unauthenticated /server/specs/oas endpoint, potentially aiding in targeted exploitation using known vulnerabilities. To address this issue, users should upgrade Directus to version 11.9.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-53887.
Read more CMSIn Directus versions 9.0.0 and above a medium severity vulnerability CVE-2025-53886 was detected. This vulnerability allows malicious administrators to hijack user sessions by accessing sensitive data such as access and refresh tokens logged during Flow WebHook executions. To address this issue, users should upgrade Directus to version 11.9.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-53886.
Read more CMSIn Directus versions 9.0.0 and above a medium severity vulnerability CVE-2025-53885 was detected. This vulnerability allows malicious administrators to log sensitive user data using the “Log to Console” operation within Flows triggered by user CRUD events. To address this issue, users should upgrade Directus to version 11.9.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-53885.
Read more CMSIn Grafana versions prior to 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01, 11.5.5+security-01, 11.6.2+security-01 and 12.0.1+security-01 a medium severity vulnerability CVE-2025-3415 was detected. This vulnerability allows users with Viewer permission to access the Grafana Alerting DingDing integration, which was not properly protected. To address this issue, users should upgrade Grafana to versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01, 11.5.5+security-01, 11.6.2+security-01 or 12.0.1+security-01. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3415.
Read more CMS