In Spring Cloud Gateway Server versions 2.2.10.RELEASE to 4.2.2, including versions 4.3.0-M1, M2, RC1, and in Spring Cloud Gateway Server MVC versions 4.1.7 to 4.2.2, including 4.3.0-M1, M2, RC1 a high severity vulnerability CVE-2025-41235 was detected. This vulnerability allows the server to forward the X-Forwarded-For and Forwarded headers from untrusted proxies, which could be exploited to spoof client IP addresses or manipulate request metadata. To address this issue, users should upgrade Spring Cloud Gateway Server to versions 4.2.3 or later for version 4.2.x, 4.1.8 or later for version 4.1.x and any versions after 4.0.9 for version 4.0.x. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-41235.
Read more Application Development
In Discourse versions prior to 3.4.3 (stable) and 3.5.0.beta3 (beta) a medium severity vulnerability CVE-2025-32376 was detected. This vulnerability allows attackers to bypass the user limit for direct messages (DMs), potentially enabling the creation of a DM including every user on a site. To address this issue, users should upgrade Discourse to versions 3.4.3 (stable) or later, 3.5.0.beta3 (beta) or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-32376.
Read more Communication
In Elasticsearch versions prior to 7.17.25 and prior to 8.16.0 a medium severity vulnerability CVE-2024-52979 was detected. This vulnerability allows attackers to trigger uncontrolled resource consumption by submitting specially crafted search templates using Mustache functions, potentially leading to a Denial of Service by crashing the Elasticsearch node. To address this issue, users should upgrade Elasticsearch to versions 7.17.25 or 8.16.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-52979.
Read more Data Analytics
In Kibana versions 7.17.0 up to 7.17.18 and 8.0.0 up to 8.12.3 a medium severity vulnerability CVE-2025-25016 was detected. This vulnerability allows authenticated attackers to compromise software integrity by uploading crafted malicious files due to insufficient server-side validation. To address this issue, users should upgrade Kibana to versions 7.17.19 or later and 8.13.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-25016.
Read more Data Analytics
In Kibana versions 7.17.6 up to and including 7.17.23 and 8.4.0 up to and including 8.11.4 a medium severity vulnerability CVE-2024-11390 was detected. This vulnerability allows attackers with access to the Synthetics app or write permissions to synthetics indices to upload crafted HTML and JavaScript files, leading to arbitrary JavaScript execution (XSS) in a victim’s browser. To address this issue, users should upgrade Kibana to versions 7.17.24 or 8.12.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-11390.
Read more Data Analytics
In Buddyboss Platform plugin for WordPress versions 2.8.50 and prior a medium severity vulnerability CVE-2024-13860 was detected. This vulnerability allows authenticated attackers with Subscriber-level access or higher to inject malicious scripts via the `bbp_topic_title` parameter, leading to Stored Cross-Site Scripting (XSS) on affected pages. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13860.
Read more CMS
In Redmine versions 6.0.0 through 6.0.3 a medium severity vulnerability CVE-2025-4011 was detected. This vulnerability allows attackers to perform cross-site scripting (XSS) via manipulation of the “Name” argument in the Custom Query Handler. To address this issue, users should upgrade Redmine to versions 6.0.4. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4011.
Read more Project Management
In SureForms plugin for WordPress versions prior to 1.4.4 a medium severity vulnerability CVE-2025-3471 was detected. This vulnerability allows attackers with Contributor-level access or higher to update plugin settings via the REST API due to a missing authorization check. To address this issue, users should upgrade SureForms plugin to versions 1.4.4 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3471.
Read more CMS
In Calculated Fields Form plugin for WordPress versions prior to 5.2.62 a low severity vulnerability CVE-2024-12273 was detected. This vulnerability allows high-privilege users, such as admins, to perform Stored Cross-Site Scripting (XSS) attacks due to improper sanitization and escaping of certain settings, even when the unfiltered_html capability is disallowed (e.g., in multisite setups). To address this issue, users should upgrade Calculated Fields Form plugin to versions 5.2.62 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-12273.
Read more CMS