In GitLab EE versions 16.0 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2 a medium severity vulnerability CVE-2024-6356 was detected. This vulnerability allows unauthorized cross-project access for the Security Policy Bot. To address this issue, users should upgrade GitLab EE to versions 17.8.1, 17.7.3, or 17.6.4. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-6356.
Read more Developer Tools
In Discourse versions 3.4.0.beta3 and prior on the `beta` and `tests-passed` branches a low severity vulnerability CVE-2025-22601 was detected. This vulnerability allows attackers to trick users into changing their own username via a crafted link using the `activate-account` route. To address this issue, users should upgrade Discourse to version 3.4.0.beta4 on the `beta` and `tests-passed` branches or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-22601.
Read more Communication
In Discourse versions 3.3.3 and prior on the `stable` branch and 3.4.0.beta3 and prior on the `beta` and `tests-passed` branches a medium severity vulnerability CVE-2024-56328 was detected. This vulnerability allows attackers to post malicious links that can execute harmful code in users’ browsers if Content Security Policy protection is disabled on the site. To fix this issue, users should upgrade Discourse to versions 3.3.4 and later on the `stable` branch or version 3.4.0.beta4 and later on the `beta` and `tests-passed` branches. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-56328.
Read more Communication
In Discourse versions 3.3.3 and prior on the `stable` branch and 3.4.0.beta4 and prior on the `beta` and `tests-passed` branches a medium severity vulnerability CVE-2024-56197 was detected. This vulnerability allows attackers to read the titles and metadata of private messages if the “PM tags allowed for groups” option is enabled and the attacker is a member of a group included in that list. To fix this issue, users should upgrade Discourse to version 3.3.4 and later on the `stable` branch or version 3.4.0.beta5 and later on the `beta` and `tests-passed` branches. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-56197.
Read more Communication
In Discourse versions prior to 3.3.2 on the `stable` branch and prior to 3.4.0.beta3 on the `tests-passed` branch a high severity vulnerability CVE-2024-55948 was detected. This vulnerability allows attackers to craft XHR requests that poison the anonymous cache, potentially serving responses with missing preloaded data to anonymous visitors. To address this issue, users should upgrade Discourse to versions 3.3.2 and later on the `stable` branch or version 3.4.0.beta3 and later on the` tests-passed` branches. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-55948.
Read more Communication
In Discourse versions 3.3.2 and prior on the `stable` branch and 3.4.0.beta3 and prior on the `beta` and `tests-passed` branches a medium severity vulnerability CVE-2024-53994 was detected. This vulnerability allows users who disable chat in preferences to still be reachable in some cases. To address this issue, users should upgrade Discourse to version 3.3.3 and later on the `stable` branch or version 3.4.0.beta4 and later on the `beta` and `tests-passed` branches. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-53994.
Read more Communication
In Authentik versions before 2024.10.4 a medium severity vulnerability CVE-2024-11623 was detected. This vulnerability allows authenticated admin users to upload crafted SVG files, which can lead to stored XSS attacks through the application icons. To address this issue, users should upgrade Authentik to version 2024.10.4 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-11623.
Read more Security
In Discourse versions prior to 3.3.2 on the `stable` branch and 3.4.0.beta3 on the `tests-passed` branch a high severity vulnerability CVE-2025-23023 was detected. This vulnerability allows attackers to poison the anonymous cache by crafting a request with specific headers, potentially leading to missing preloaded data in the cache. This issue affects only anonymous visitors to the site. To address this issue, users should upgrade to the latest version of Discourse. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-23023.
Read more Communication
In MySQL Server versions up to 9.1.0 a medium severity vulnerability CVE-2025-21567 was detected. This vulnerability allows a low-privileged attacker with network access via multiple protocols to compromise MySQL Server. To address this issue, users should upgrade to a version 9.2.0 or higher. For more details, visit https://avd.aquasec.com/nvd/2025/cve-2025-21567.
Read more Database