Our news and updates

In Mattermost versions 10.2.x up to and including 10.2.0, 9.11.x up to and including 9.11.5, 10.0.x up to and including 10.0.3, 10.1.x up to and including 10.1.3 a medium severity vulnerability CVE-2025-20088 was detected. This vulnerability allows a malicious authenticated user to cause a crash by creating a malicious post with improperly validated post props. To address this issue, users should upgrade Mattermost to version 10.2.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-20088.

In Mattermost versions 10.x up to and including 10.2 a low severity vulnerability CVE-2025-22445 was detected. This vulnerability allows confusion for administrators regarding a Calls security-sensitive configuration due to inaccurate UI reporting of missing settings. To address this issue, users should upgrade Mattermost to version 10.3 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-22445.

In Mattermost Mobile Apps versions 2.22.0 and prior a medium severity vulnerability CVE-2025-0476 was detected. This vulnerability allows an attacker to crash the mobile app for any user who opens a channel containing a specially crafted attachment. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-0476.

In SuiteCRM version 7.12.7 a high severity vulnerability CVE-2022-45186 was detected. This vulnerability allows authenticated users to recover arbitrary fields from the database. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2022-45186.

In GitLab CE/EE versions starting from 15.7 prior to 17.5.5, starting from 17.6 prior to 17.6.3, and starting from 17.7 prior to 17.7.1 a medium severity vulnerability CVE-2024-6324 was detected. This vulnerability allows an attacker to trigger a Denial of Service (DoS) by creating cyclic references between epics. To address this issue, users should upgrade GitLab CE/EE to versions 17.5.5, 17.6.3 or 17.7.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-6324.

In Mattermost versions 9.11.x up to and including 9.11.5 a low severity vulnerability CVE-2025-22449 was detected. This vulnerability allows team admins without permission to invite users to their team to bypass restrictions by updating the “allow_open_invite” field, making their team public and inviting users. To address this issue, users should upgrade Mattermost to version 9.11.6 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-22449.

In Django versions 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18 a medium severity vulnerability CVE-2024-56374 was detected. This vulnerability could cause a denial-of-service (DoS) attack due to insufficient limits on strings during IPv6 validation, affecting clean_ipv6_address, is_valid_ipv6_address and django.forms.GenericIPAddressField. To address this issue, users should upgrade Django to versions 5.1.5, 5.0.11 or 4.2.18. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-56374.

In Invoice Ninja versions 5.8.56 through 5.11.23 a high severity vulnerability CVE-2025-0474 was detected. This vulnerability allows attackers to perform authenticated Server-Side Request Forgery (SSRF), enabling arbitrary file read and network resource requests as the application user. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-0474.

In Keycloak versions prior to 26.0.8 a medium severity vulnerability CVE-2024-11736 was detected. This vulnerability allows admin users to access sensitive server environment variables and system properties through URLs. By using placeholders like ${env.VARNAME} or ${PROPNAME}, the server replaces them with actual values during URL processing. To address this issue, users should upgrade Keycloak to version 26.0.8 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-11736.