Our news and updates

In WP Booking Calendar plugin for WordPress versions up to and including 10.11.1 a medium severity vulnerability CVE-2025-4669 was detected. This vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts via the wpbc shortcode, which execute when a user accesses an injected page, due to insufficient input sanitization and output escaping. To address this issue, users should upgrade WP Booking Calendar plugin to versions 10.11.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4669.

In Jupiter X Core plugin for WordPress versions up to and including 4.8.12 a medium severity vulnerability CVE-2025-3888 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts via SVG file inclusion due to insufficient input sanitization and output escaping, leading to script execution when a user accesses the affected page. To address this issue, users should upgrade Jupiter X Core plugin to versions 4.9.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3888.

In EventON Pro plugin versions up to and including 4.9.6 a medium severity vulnerability CVE-2025-3527 was detected. This vulnerability allows authenticated attackers with Subscriber-level access and above to inject arbitrary web scripts due to a missing capability check in the assets/lib/settings/settings.js file, leading to script execution when a user accesses an affected page. To address this issue, users should upgrade EventON Pro plugin to versions 4.9.7 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3527.

In iTop versions prior to 3.1.3 and 3.2.1 a medium severity vulnerability CVE-2024-56157 was detected. This vulnerability allows attackers to perform a cross-site scripting (XSS) attack by injecting malicious code into CSV content, which is executed when importing the file. To address this issue, users should upgrade iTop to versions 3.1.3 or 3.2.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-56157.

In iTop versions prior to 2.7.12, 3.1.3 and 3.2.1 a medium severity vulnerability CVE-2024-52601 was detected. This vulnerability allows authenticated portal users to access unauthorized objects by querying an unprotected route. To address this issue, users should upgrade iTop to versions 2.7.12, 3.1.3 or 3.2.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-52601.

In Mattermost versions 10.6.x ≤ 10.6.1, 10.5.x ≤ 10.5.2, 10.4.x ≤ 10.4.4 and 9.11.x ≤ 9.11.11 a medium severity vulnerability CVE-2025-31947 was detected. This vulnerability allows attackers to cause external LDAP accounts to be locked out by triggering repeated login failures through Mattermost, as LDAP users are not locked out properly. To address this issue, users should upgrade Mattermost to versions 10.7.0, 10.6.2, 10.5.3, 10.4.5, 9.11.12 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-31947.

In Mattermost versions 10.6.x ≤ 10.6.1, 10.5.x ≤ 10.5.2, 10.4.x ≤ 10.4.4 and 9.11.x ≤ 9.11.11 a medium severity vulnerability CVE-2025-3446 was detected. This vulnerability allows authenticated users with permission only to invite non-guest users to add guest users to teams via the API. To address this issue, users should upgrade Mattermost to versions 10.7.0, 10.6.2, 10.5.3, 10.4.5, 9.11.12 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3446.

In Next.js versions prior to 14.2.24 and 15.1.6 a low severity vulnerability CVE-2025-32421 was detected. This race-condition vulnerability in the Pages Router under certain misconfigurations causes normal endpoints to serve `pageProps` data instead of standard HTML. To address this issue, users should upgrade Next.js to versions 15.1.6 or 14.2.24. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-32421.

In Apache Tomcat versions from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98 a critical severity vulnerability CVE-2025-24813 was detected. This vulnerability allows unauthenticated attackers to upload malicious files and execute arbitrary code on the server due to improper handling of file paths containing internal dots (.), which leads to path equivalence issues under specific non-default configurations. To address this issue, users should upgrade Apache Tomcat to versions 11.0.3, 10.1.35, 9.0.99 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-24813.