Book a demo

Our news and updates

Choose category
2 Jun 2025 DevOps
Zitadel: Password Reset URL Vulnerable to Host Header Injection

In Zitadel versions prior to 2.70.12, 2.71.10 and 3.2.2 a high severity vulnerability CVE-2025-48936 was detected. This vulnerability allows attackers to manipulate the Forwarded or X-Forwarded-Host headers to generate password reset links pointing to malicious domains. If users click these links, attackers could capture the embedded reset code and gain unauthorized access to their accounts. To address this issue, users should upgrade Zitadel to versions 2.70.12, 2.71.10 or 3.2.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-48936.

 Read more DevOps
2 Jun 2025 Communication and Collaboration
Mattermost: System Manager Access Control Bypass via API

In Mattermost versions 10.7.x ≤ 10.7.0, 10.5.x ≤ 10.5.3 and 9.11.x ≤ 9.11.12 a medium severity vulnerability CVE-2025-3611 was detected. This vulnerability allows authenticated users with System Manager privileges to bypass configured access restrictions and view team details through direct API requests, even when access to Teams is explicitly denied in the System Console. To address this issue, users should upgrade Mattermost to versions 10.7.1, 10.5.4, 9.11.13 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3611.

 Read more Communication
2 Jun 2025 Communication and Collaboration
Mattermost: Token Invalidation Flaw Allows Access After Deactivation

In Mattermost versions 10.7.x ≤ 10.7.0, 10.6.x ≤ 10.6.2, 10.5.x ≤ 10.5.3 and 9.11.x ≤ 9.11.12 a medium severity vulnerability CVE-2025-3230 was detected. This vulnerability allows deactivated users to retain full system access by continuing to use previously issued personal access tokens, due to improper invalidation of these tokens after deactivation. To address this issue, users should upgrade Mattermost to versions 10.8.0, 10.7.1, 10.6.3, 10.5.4, 9.11.13 or higher. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3230.

 Read more Communication
2 Jun 2025 Communication and Collaboration
Mattermost: OAuth Credential Leakage During User-to-Bot Conversion

In Mattermost versions 10.7.x ≤ 10.7.0, 10.6.x ≤ 10.6.2, 10.5.x ≤ 10.5.3 and 9.11.x ≤ 9.11.12 a medium severity vulnerability CVE-2025-2571 was detected. This vulnerability allows attackers to gain unauthorized access to bot accounts via the Google OAuth signup flow, due to failure to clear associated Google OAuth credentials when converting user accounts to bot accounts. To address this issue, users should upgrade Mattermost to versions 10.7.1, 10.6.3, 10.5.4 and 9.11.13. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2571.

 Read more Communication
30 May 2025 DevOps
Strapi: Server-Side Request Forgery (SSRF) via Local Domain in Webhooks URL

In Strapi versions prior to 4.25.2 a medium severity vulnerability CVE-2024-52588 was detected. This vulnerability allows attackers to perform server-side request forgery (SSRF) by inputting a local domain into the Webhooks URL field, causing the application to fetch itself. To address this issue, users should upgrade Strapi to versions 4.25.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-52588.

 Read more Application Development
30 May 2025 Data Management and Analytics
Redis: Stack-Based Buffer Overflow in redis-check-aof Leading to Potential Code Execution

In Redis versions from 7.0.0 to before 8.0.2 a medium severity vulnerability CVE-2025-27151 was detected. This vulnerability allows attackers to trigger a stack-based buffer overflow in redis-check-aof by exploiting unsafe use of memcpy with user-supplied file paths, potentially leading to remote code execution. To address this issue, users should upgrade Redis to versions 8.0.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-27151.

 Read more Database
30 May 2025 DevOps
Argo CD: Cross-Site Scripting Vulnerability Allowing Arbitrary Actions via API

In Argo CD versions prior to 2.13.8, 2.14.13 and 3.0.4 a critical severity vulnerability CVE-2025-47933 was detected. This vulnerability allows attackers with repository edit permissions to perform arbitrary actions on behalf of victims through a cross-site scripting (XSS) flaw caused by improper filtering of URL protocols on the repository page. To address this issue, users should upgrade Argo CD to versions 2.13.8, 2.14.13, 3.0.4 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-47933.

 Read more Developer Tools
30 May 2025 DevOps
Gitlab: Cross-Site Scripting and Content Security Policy Bypass

In GitLab EE versions from 16.6 before 17.9.7, 17.10 before 17.10.5 and 17.11 before 17.11.1 a high severity vulnerability CVE-2025-1763 was detected. This vulnerability allows attackers to perform cross-site scripting (XSS) attacks and bypass content security policies in a user’s browser under specific conditions. To address this issue, users should upgrade GitLab EE to versions 17.9.7, 17.10.5, 17.11.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-1763.

 Read more Developer Tools
30 May 2025 Communication and Collaboration
Mattermost: Improper Permission Validation Team Privacy Settings

In Mattermost versions 10.7.0 and earlier, 10.6.2 and earlier, 10.5.3 and earlier, and 9.11.12 and earlier a medium severity vulnerability CVE-2025-3913 was detected. This vulnerability allows team administrators without the ‘invite user’ permission to access and modify team invite IDs via the /api/v4/teams/:teamId/privacy endpoint due to improper permission validation when changing team privacy settings. To address this issue, users should upgrade Mattermost to versions 10.7.1, 10.6.3, 10.5.4, 9.11.13 or 8.0.0-20250412152950-02c76784380a. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3913.

 Read more Communication