In Next.js versions prior to 14.2.25 and 15.2.3 a critical severity vulnerability CVE-2025-29927 was detected. This vulnerability allows attackers to bypass authorization checks within a Next.js application if the authorization check occurs in middleware. To address this issue, users should upgrade Next.js to versions 14.2.25, 15.2.3, 15.3.0-canary.12 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-29927.
Read more Mobile App Development
In CryoKey plugin for WordPress versions 2.4 and prior a medium severity vulnerability CVE-2025-2477 was detected. This vulnerability allows unauthenticated attackers to inject arbitrary web scripts via the ‘ckemail’ parameter due to insufficient input sanitization and output escaping, which can be exploited by tricking users into performing actions, such as clicking on a malicious link. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2477.
Read more CMS
In Mattermost versions 10.4.x up to and including 10.4.2, 10.3.x up to and including 10.3.3 and 9.11.x up to and including 9.11.8 a medium severity vulnerability CVE-2025-30179 was detected. This vulnerability allows authenticated attackers to bypass Multi-Factor Authentication (MFA) protections via user search, channel search, or team search queries, as MFA is not enforced on certain search APIs. To address this issue, users should upgrade Mattermost to versions 0.5.0, 10.4.3, 10.3.4, 9.11.9 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-30179.
Read more Communication
In Mattermost versions 10.4.x up to and including 10.4.2, 10.3.x up to and including 10.3.3 and 9.11.x up to and including 9.11.8 a medium severity vulnerability CVE-2025-27933 was detected. This vulnerability allows members with permission to convert public channels to private ones to also convert private channels to public, due to a failure to enforce channel conversion restrictions. To address this issue, users should upgrade Mattermost to versions 10.5.0, 10.4.3, 10.3.4, 9.11.9 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-27933.
Read more Communication
In Mattermost versions 10.4.x up to and including 10.4.2, 10.3.x up to and including 10.3.3, 9.11.x up to and including 9.11.8 and 10.5.x up to and including 10.5.0 a medium severity vulnerability CVE-2025-24920 was detected. This vulnerability allows authenticated users to create or update bookmarks in archived channels, due to a failure to restrict bookmark creation and updates in those channels. To address this issue, users should upgrade Mattermost to versions 10.6.0, 10.4.3, 10.3.4, 9.11.9, 10.5.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-24920.
Read more Communication
In Mattermost versions 9.11.x up to and including 9.11.8 a low severity vulnerability CVE-2025-27715 was detected. This vulnerability allows team admins to join private channels via crafted permalink links without explicit approval, due to the failure to prompt for approval before adding a team admin to a private channel. To address this issue, users should upgrade Mattermost to versions 10.5.0, 9.11.9 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-27715.
Read more Communication
In Mattermost versions 10.4.x up to and including 10.4.2, 10.3.x up to and including 10.3.3 and 9.11.x up to and including 9.11.8 a medium severity vulnerability CVE-2025-25274 was detected. This vulnerability allows authenticated users to execute commands in archived channels due to a failure to restrict command execution in those channels. To address this issue, users should upgrade Mattermost to versions 10.5.0, 10.4.3, 10.3.4, 9.11.9 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-25274.
Read more Communication
In SpotBot plugin for WordPress versions 0.1.8 and prior a high severity vulnerability CVE-2024-13878 was detected. This vulnerability allows attackers to execute Reflected Cross-Site Scripting (XSS) attacks by exploiting an unsanitized parameter, potentially targeting high-privilege users such as administrators. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13878.
Read more CMS
In Mattermost versions 9.11.x up to and including 9.11.8 a medium severity vulnerability CVE-2025-1472 was detected. This vulnerability allows attackers with the Viewer role, even when configured with No Access to Reporting, to still view team and site statistics due to improper authorization enforcement. To address this issue, users should upgrade Mattermost to versions 9.11.9 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-1472.
Read more Communication