In Vault Community Edition versions prior to 1.19.3, and in Vault Enterprise versions from 0.3.0 up to 1.19.2, 1.18.8, 1.17.15 and 1.16.19 a medium severity vulnerability CVE-2025-4166 was detected. This vulnerability allows attackers to unintentionally expose sensitive information in server and audit logs when submitting malformed payloads via the REST API during secret creation or updates. To address this issue, users should upgrade Vault Community to versions 1.19.3 or Vault Enterprise to versions 1.19.3, 1.18.9, 1.17.16 or 1.16.20. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4166.
Read more Security
In Vault Community Edition versions from 0.10.0 up to 1.19.0, and Vault Enterprise from 0.10.0 up to 1.19.0, 1.18.6, 1.17.13 and 1.16.17 a medium severity vulnerability CVE-2025-3879 was detected. This vulnerability allows attackers to bypass the `bound_locations` parameter during login due to improper validation of claims in Azure-issued tokens within the Azure Auth method. To address this issue, users should upgrade Vault Community to versions 1.19.1 or Vault Enterprise to versions 1.19.1, 1.18.7, 1.17.14 or 1.16.18. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3879.
Read more Security
In SurveyJS plugin for WordPress versions up to and including 1.12.32 a medium severity vulnerability CVE-2025-3815 was detected. This vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary JavaScript via the `id` parameter due to insufficient input sanitization and output escaping, resulting in Stored Cross-Site Scripting (XSS). To address this issue, users should upgrade SurveyJS plugin to versions 1.12.33 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3815.
Read more CMS
In WPML plugin for WordPress versions 3.6.0 to 4.7.3 a medium severity vulnerability CVE-2025-3488 was detected. This vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary JavaScript via the `wpml_language_switcher` shortcode due to insufficient input sanitization and output escaping on user-supplied attributes, resulting in Stored Cross-Site Scripting (XSS). To address this issue, users should upgrade WPML plugin to versions 4.7.4. or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3488.
Read more CMS
In Formality plugin for WordPress versions up to and including 1.5.8 a medium severity vulnerability CVE-2025-3858 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts via the ‘align’ parameter, which execute when a user accesses an injected page, due to insufficient input sanitization and output escaping. To address this issue, users should upgrade Formality plugin to versions 1.5.9 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3858.
Read more CMS
In Music Player for Elementor plugin for WordPress versions up to and including 2.4.6 a medium severity vulnerability CVE-2025-5340 was detected. This vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary scripts via the album_buy_url parameter, leading to Stored Cross-Site Scripting (XSS) that executes when a user visits the affected page. To address this issue, users should upgrade Music Player for Elementor plugin to versions 2.4.7 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-5340.
Read more CMS
In Grafana versions prior to 10.4.17+security-0 a medium severity vulnerability CVE-2025-3454 was detected. This vulnerability allows attackers to bypass authorization checks by inserting an extra slash in the datasource proxy API path, enabling unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources. To address this issue, users should upgrade Grafana to versions 10.4.17+security-01, 11.2.8+security-01, 11.3.5+security-01, 11.4.3+security-01, 11.5.3+security-01, 11.6.0+security-01 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3454.
Read more Data Analytics
In Grafana versions 0alpha1, 1alpha1 and 2alpha1 a high severity vulnerability was detected in the /apis/dashboard.grafana.app/* endpoints across all API versions. This vulnerability allows authenticated and anonymous users with viewer or editor roles to bypass dashboard and folder-level permissions, enabling unrestricted access, modification, and creation of dashboards across all folders, while organization isolation and datasource access remain unaffected. Currently, there is no fix version for this vulnerability. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3260.
Read more Data Analytics
In Mattermost versions 10.7.x ≤ 10.7.0, 10.5.x ≤ 10.5.3 and 9.11.x ≤ 9.11.12 a high severity vulnerability CVE-2025-1792 was detected. This vulnerability allows authenticated guest users to view metadata about members of public channels via the channel members API endpoint due to insufficient enforcement of access controls. To address this issue, users should upgrade Mattermost to versions 10.7.1, 10.5.4, 9.11.13 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-1792.
Read more Communication