In GitLab CE/EE versions 17.3 before 17.9.8, 17.10 before 17.10.6 and 17.11 before 17.11.2 a medium severity vulnerability CVE-2025-0549 was detected. This vulnerability allows attackers to bypass Device OAuth flow protections, enabling authorization form submission through minimal user interaction. To address this issue, users should upgrade GitLab CE/EE to versions 17.9.8, 17.10.6 or 17.11.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-0549.
Read more Developer Tools
In GitLab CE/EE versions 17.1 before 17.9.8, 17.10 before 17.10.6 and 17.11 before 17.11.2 a medium severity vulnerability CVE-2024-8973 was detected. This vulnerability allows attackers to cause a Denial of Service (DoS) condition via GitHub import requests using a maliciously crafted payload. To address this issue, users should upgrade GitLab CE/EE to versions 17.9.8, 17.10.6 or 17.11.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-8973.
Read more Developer Tools
In PostgreSQL versions before 17.5, 16.9, 15.13, 14.18 and 13.21 a medium severity vulnerability CVE-2025-4207 was detected. This vulnerability allows a database input provider to trigger a temporary denial of service by exploiting a buffer over-read in GB18030 encoding validation, potentially causing process termination on affected platforms and impacting both the database server and libpq. To address this issue, users should upgrade PostgreSQL to versions 17.5, 16.9, 15.13, 14.18 or 13.21. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4207.
Read more Database
In the Jeg Elementor Kit plugin for WordPress versions up to and including 2.6.12 a medium severity vulnerability CVE-2025-2944 was detected. This vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts via the plugin’s Video Button and Countdown Widgets, which, due to insufficient input sanitization and output escaping, execute whenever a user accesses a compromised page. To address this issue, users should upgrade the Jeg Elementor Kit plugin to versions 2.6.13. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2944.
Read more CMS
In Django versions 4.2 before 4.2.21, 5.1 before 5.1.9 and 5.2 before 5.2.1 a medium severity vulnerability CVE-2025-32873 was detected. This vulnerability allows attackers to cause a denial-of-service condition through slow performance by supplying large sequences of incomplete HTML tags to the `strip_tags()` function or the `striptags` template filter. To address this issue, users should upgrade Django to versions 4.2.21, 5.1.9 or 5.2.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-32873.
Read more Application Development
In BuddyBoss Platform Pro plugin for WordPress versions up to and including 2.7.01 a critical severity vulnerability CVE-2025-1909 was detected. This vulnerability allows unauthenticated attackers to bypass authentication and log in as any existing user, including administrators, if they have access to the user’s email address, due to insufficient verification during the Apple OAuth authentication process. To address this issue, users should upgrade BuddyBoss Platform Pro plugin to versions 2.7.10 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-1909.
Read more CMS
In Login Lockdown & Protection plugin for WordPress versions up to and including 2.11 a medium severity vulnerability CVE-2025-3766 was detected. This vulnerability allows authenticated users with Subscriber-level access or higher to obtain a valid nonce via the ajax_run_tool function, enabling them to generate a global unlock key and add IPs to the allowlist—exploitable only on new installs where the loginlockdown page has not been visited by an admin. To address this issue, users should upgrade Login Lockdown & Protection plugin to versions 2.12 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3766.
Read more CMS
In WP SEO Structured Data Schema plugin for WordPress versions up to and including 2.7.11 a medium severity vulnerability CVE-2025-4127 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts via the ‘Price Range’ parameter, which execute when an administrator accesses the plugin settings page, due to insufficient input sanitization and output escaping. To address this issue, users should upgrade WP SEO Structured Data Schema plugin to versions 2.8.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4127.
Read more CMS
In Umbraco versions prior to 10.8.10 and 13.8.1 a medium severity vulnerability CVE-2025-46736 was detected. This vulnerability allows attackers to determine whether an account exists by analyzing the timing of post-login API responses. To address this issue, users should upgrade Umbraco to versions 10.8.10 or 13.8.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-46736.
Read more CMS