In GitLab versions 17.4 to 17.8.6, 17.9 to 17.9.3 and 17.10 to 17.10.1 a high severity vulnerability CVE-2025-2242 was detected. This vulnerability allows a user who was previously an instance admin but has since been downgraded to a regular user to maintain elevated privileges over groups and projects. To address this issue, users should upgrade GitLab to versions 17.8.6, 17.9.3 or 17.10.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2242.
Read more Developer Tools
In Discourse versions prior to 3.3.4 on the stable branch and 3.4.0.beta5 on the beta branch a medium severity vulnerability CVE-2025-24972 was detected. In specific circumstances, users could be added to group direct messages despite having disabled direct messaging in their preferences. To address this issue, users should upgrade Discourse to versions 3.3.4 or later or 3.4.0.beta5 or later. For more details, visit https://avd.aquasec.com/nvd/2025/cve-2025-24972.
Read more Communication
In GitLab versions 13.5.0 to 17.8.6, 17.9 to 17.9.3 and 17.10 to 17.10.1 a high severity vulnerability CVE-2025-2255 was detected. This vulnerability allows attackers to execute Cross-Site Scripting (XSS) attacks through certain error messages. To address this issue, users should upgrade GitLab to versions 17.8.6, 17.9.3 or 17.10.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2255.
Read more Developer Tools
In GitLab versions 14.9 to 17.8.6, 17.9 to 17.9.3, and 17.10 to 17.10.1 a low severity input validation vulnerability CVE-2024-9773 was detected. This vulnerability could have allowed a maintainer to add malicious code to the CLI commands shown in the UI. To address this issue, users should upgrade GitLab to versions 17.8.6, 17.9.3 or 17.10.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-9773.
Read more Developer Tools
In GitLab CE/EE versions 17.7 before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1 a high severity vulnerability CVE-2025-0811 was detected. This vulnerability allows attackers to execute cross-site scripting attacks due to improper rendering of certain file types. To address this issue, users should upgrade GitLab CE/EE to versions 17.8.6, 17.9.3 or 17.10.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-0811.
Read more Developer Tools
In BWL Advanced FAQ Manager plugin for WordPress versions 2.1.4 and prior a high severity vulnerability CVE-2024-13801 was detected. This vulnerability allows attackers with Subscriber-level access or higher to modify option values without proper capability checks, potentially causing a denial of service (DoS) or enabling unauthorized actions such as registration settings adjustments. To address this issue, users should upgrade BWL Advanced FAQ Manager plugin to versions 2.1.5 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13801.
Read more CMS
In Newsletters plugin for WordPress versions 4.9.9.7 and prior a high severity vulnerability CVE-2025-2009 was detected. This vulnerability allows unauthenticated attackers to inject arbitrary web scripts through the logging functionality, which will execute when users access an injected page. To address this issue, users should upgrade Newsletters plugin to versions 4.9.9.8 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2009.
Read more CMS
In Event Post plugin for WordPress versions 5.9.9 and prior a medium severity vulnerability CVE-2025-2167 was detected. This vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts via the plugin’s ‘events_list’ shortcodes due to insufficient input sanitization and output escaping on user-supplied attributes, which will execute whenever a user accesses an affected page. To address this issue, users should upgrade Event Post plugin to versions 5.9.10 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2167.
Read more CMS
In Jobs plugin for WordPress versions 2.7.11 and prior a medium severity vulnerability CVE-2025-1310 was detected. This vulnerability allows authenticated attackers with Subscriber-level access and above to read the contents of arbitrary files on the server through the ‘job_postings_get_file’ parameter, which can contain sensitive information. To address this issue, users should upgrade Jobs plugin to versions 2.7.12 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-1310.
Read more CMS