Our news and updates

In Moodle versions up to 4.5.2 a low severity vulnerability CVE-2025-26528 was detected. This vulnerability stems from insufficient input sanitization in the ddimageortext question type, allowing attackers to inject malicious scripts that are executed when other users access the affected content. To address this issue, users should upgrade Moodle to versions 4.5.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-26528.

In Moodle versions up to 4.1.15, 4.3.9, 4.4.5 and 4.5.1 a high severity vulnerability CVE-2025-26529 was detected. This vulnerability arises from insufficient sanitization of input in the Site Administration Live Log, leading to a stored Cross-Site Scripting (XSS) risk. To address this issue, users should upgrade Moodle to versions 4.1.16, 4.3.10, 4.4.6 or 4.5.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-26529.

In Moodle versions up to 4.5.1 a high severity vulnerability CVE-2025-26530 was detected. This vulnerability results from insufficient sanitization in the question bank filter, allowing attackers to craft malicious URLs that execute arbitrary JavaScript in the victim’s browser. To address this issue, users should upgrade Moodle to versions 4.5.2, 4.4.6 or 4.3.10. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-26530.

In Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, and 10.2.x <= 10.2.2 a critical severity vulnerability CVE-2025-25279 was detected. This vulnerability allows attackers to read any arbitrary file on the system by importing and exporting a specially crafted import archive in Boards. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2025/cve-2025-25279.

In WooCommerce Support Ticket System plugin for WordPress, versions 17.8 and prior a medium severity vulnerability CVE-2024-13775 was detected. This allows attackers with Subscriber-level access or higher to delete posts and access user data. To address this issue, users should upgrade WooCommerce Support Ticket System plugin to version 17.9 or later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-13775.

In Mattermost versions 9.11.0 <= 9.11.7, 10.1.0 <= 10.1.3, 10.2.0 <= 10.2.2, 10.3.0 <= 10.3.2, and 10.4.0 <= 10.4.1 a medium severity vulnerability CVE-2025-24526 was detected. This allows users to export archived channel contents without proper access. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2025/cve-2025-24526.

In Metabase Enterprise Edition versions 1.47.0 and prior to 1.50.36, 1.51.14, 1.52.11, and 1.53.2 a medium severity vulnerability CVE-2025-27141 was detected. This allows users with impersonation permissions to access cached query results, even if they lack permission to view the data. To address this issue, users should upgrade to versions 1.50.36, 1.51.14, 1.52.11 or 1.53.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-27141.

In Moodle versions prior to 4.5.2, 4.4.6, 4.3.10, and 4.1.16 a high severity vulnerability CVE-2025-26525 was detected. This vulnerability allows attackers to exploit insufficient sanitization in the TeX notation filter when pdfTeX is available, leading to arbitrary file read risks on Moodle installations using TeX Live. To address this issue, users should upgrade Moodle to versions 4.5.2, 4.4.6, 4.3.10 or 4.1.16. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-26525.

In Post Grid and Gutenberg Blocks – ComboBlocks plugin for WordPress versions 2.3.5 and prior a medium severity vulnerability CVE-2024-13798 was detected. This vulnerability allows unauthenticated attackers to create new orders for products and mark them as paid without completing a payment due to insufficient verification on form fields. To address this issue, users should upgrade Post Grid and Gutenberg Blocks – ComboBlocks plugin to version 2.3.6. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13798.