In Liferay Portal versions 7.4.0 through 7.4.3.131 and Liferay DXP versions 2024.Q4.0 through 2024.Q4.5, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, and 7.4 GA through update 92 a medium severity vulnerability CVE-2025-4388 was detected. This vulnerability allows remote unauthenticated attackers to inject JavaScript into the modules/apps/marketplace/marketplace-app-manager-web via reflected cross-site scripting. To address this issue, users should upgrade Liferay Portal to versions 7.4.3.132, Liferay DXP to versions 2024.Q1.13 or 2024.Q4.6. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4388.
Read more CMS
In Logstash versions prior to 8.17.6, 8.18.0 and 9.0.0 a medium severity vulnerability CVE-2025-37730 was detected. This vulnerability allows attackers to perform man-in-the-middle (MitM) attacks in “client” mode due to improper certificate validation – specifically, the lack of hostname verification when `ssl_verification_mode => full` was set in the TCP output configuration. To address this issue, users should upgrade Logstash to versions 8.17.6, 8.18.1 or 9.0.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-37730.
Read more Data Analytics
In Umbraco versions prior to 10.8.10 and 13.8.1 a medium severity vulnerability CVE-2025-46736 was detected. This vulnerability allows attackers to determine whether an account exists by analyzing the timing of post-login API responses. To address this issue, users should upgrade Umbraco to versions 10.8.10 or 13.8.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-46736.
Read more CMS
In Zitadel versions prior to 3.0.0, 2.71.9 and 2.70.10 a high severity vulnerability CVE-2025-46815 was detected. This vulnerability allows attackers with access to the application’s predefined URI to retrieve authentication tokens and user IDs by repeatedly using idp intents, enabling them to authenticate on behalf of the user. To address this issue, users should upgrade Zitadel to versions 3.0.0, 2.71.9 or 2.70.10. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-46815.
Read more Developer Tools
In Envolve Plugin versions up to and including 1.0 a medium severity vulnerability CVE-2024-11615 was detected. This vulnerability allows unauthenticated attackers to delete language files via the `zetra_deleteLanguageFile` and `zetra_deleteFontsFile` functions due to insufficient validation of file paths. To address this issue, users should upgrade Envolve plugin to versions 1.1.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-11615.
Read more CMS
In Discourse versions between commits 10df7fdee060d44accdee7679d66d778d1136510 and 82d84af6b0efbd9fa2aeec3e91ce7be1a768511b on the 3.5.0.beta4 branch a medium severity vulnerability CVE-2025-46813 was detected. This vulnerability allows unauthenticated users to view private homepage content on login-required sites deployed during the affected window. To address this issue, users should upgrade Discourse to versions above commit 82d84af6b0efbd9fa2aeec3e91ce7be1a768511b. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-46813.
Read more Communication
In LayoutBoxx plugin for WordPress versions up to and including 0.3.1 a high severity vulnerability CVE-2025-2802 was detected. This vulnerability allows unauthenticated attackers to execute arbitrary shortcodes due to insufficient validation before calling do_shortcode. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2802.
Read more CMS
In Cision Block plugin for WordPress versions up to and including 4.3.0 a medium severity vulnerability CVE-2025-3782 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts via the ‘id’ parameter due to insufficient input sanitization and output escaping, which execute whenever a user accesses an injected page. To address this issue, users should upgrade Cision Block plugin to versions 4.4.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3782.
Read more CMS
In AHAthat plugin for WordPress versions up to and including 1.6 a medium severity vulnerability CVE-2025-4337 was detected. This vulnerability allows unauthenticated attackers to delete AHA pages via a forged request by exploiting missing or incorrect nonce validation in the aha_plugin_page() function, provided they can trick a site administrator into performing an action such as clicking a malicious link. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4337.
Read more CMS