Our news and updates

In Debug Log Manager plugin for WordPress versions up to and including 2.3.4 a high severity vulnerability CVE-2025-3809 was detected. This vulnerability allows unauthenticated attackers to inject malicious JavaScript via the auto-refresh debug log due to insufficient input sanitization and output escaping. To address this issue, users should upgrade Debug Log Manager plugin to versions 2.3.5 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3809.

In Backstage Scaffolder plugin (permissions backend) a medium severity vulnerability CVE-2025-32791 was detected. This vulnerability allows callers to extract limited information about the conditional decisions returned by the installed permission policy in the permission backend, though there is no impact if the permission system is disabled or the policy does not use conditional decisions. To address this issue, users should upgrade Backstage Scaffolder plugin to version 0.6.0 of the permissions backend. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-32791.

In Zulip versions prior to 10.2 a high severity vulnerability CVE-2025-31478 was detected. This vulnerability allows attackers to create accounts in organizations configured to use SSO-only authentication, even without having an account with the configured SSO backend. To address this issue, users should upgrade Zulip to version 10.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-31478.

In Oracle MySQL Server (InnoDB component) versions 8.0.0–8.0.41, 8.4.0–8.4.4 and 9.0.0–9.2.0 a medium severity vulnerability CVE-2025-30693 was detected. This vulnerability allows high privileged attackers with network access via multiple protocols to cause a denial of service (DoS) or perform unauthorized updates, inserts, or deletions on MySQL Server data. To address this issue, users should upgrade MySQL Server to versions 8.0.42-1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-30693.

In MySQL Connector/Python versions 9.0.0 through 9.2.0 a medium severity vulnerability CVE-2025-30714 was detected. This vulnerability allows low privileged attackers with network access and user interaction to gain unauthorized access to sensitive data. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-30714.

In MySQL Server (component: Server: UDF) versions 8.0.0-8.0.41, 8.4.0-8.4.4 and 9.0.0-9.2.0 a medium severity vulnerability CVE-2025-30721 was detected. This vulnerability allows a high-privileged attacker with logon access to compromise MySQL Server, requiring human interaction and potentially causing a crash (DOS). To address this issue, users should upgrade MySQL Server to versions 8.0.42-1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-30721.

In Mattermost versions 10.5.0 to 10.5.1 and 9.11.0 to 9.11.9 a low severity vulnerability CVE-2025-27538 was detected. This vulnerability allows users with certain permissions to turn MFA on or off for other users without proper checks. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2025/cve-2025-27538.

In Mattermost versions 10.5.0 to 10.5.1, 10.4.0 to 10.4.3, and 9.11.0 to 9.11.9 a low severity vulnerability CVE-2025-24839 was detected. This vulnerability allows users to turn on the AI bot by adding a setting to a post using the Wrangler plugin, even if they don’t have access to the bot. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2025/cve-2025-24839.

In Rancher versions 2.7.0 to before 2.7.14 and 2.8.0 to before 2.8.5 a medium severity vulnerability CVE-2023-32197 was detected. This vulnerability allows attackers to gain more permissions than they should in certain cases where RoleTemplate objects are set with external=true. To address this issue, users should upgrade Rancher to version 2.7.14 or 2.8.5. For more details, visit https://avd.aquasec.com/nvd/2023/cve-2023-32197.