In Kibana versions 8.3.0 to 8.17.5, 8.18.0 and 9.0.0 a critical severity vulnerability CVE-2025-25014 was detected. This vulnerability allows attackers to achieve arbitrary code execution through prototype pollution by sending crafted HTTP requests to machine learning and reporting endpoints. To address this issue, users should upgrade Kibana to versions 8.17.6, 8.18.1 or 9.0.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-25014.
Read more Data Analytics
In Discourse versions between commits 10df7fdee060d44accdee7679d66d778d1136510 and 82d84af6b0efbd9fa2aeec3e91ce7be1a768511b on the 3.5.0.beta4 branch a medium severity vulnerability CVE-2025-46813 was detected. This vulnerability allows unauthenticated users to view private homepage content on login-required sites deployed during the affected window. To address this issue, users should upgrade Discourse to versions above commit 82d84af6b0efbd9fa2aeec3e91ce7be1a768511b. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-46813.
Read more Communication
In LayoutBoxx plugin for WordPress versions up to and including 0.3.1 a high severity vulnerability CVE-2025-2802 was detected. This vulnerability allows unauthenticated attackers to execute arbitrary shortcodes due to insufficient validation before calling do_shortcode. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2802.
Read more CMS
In Cision Block plugin for WordPress versions up to and including 4.3.0 a medium severity vulnerability CVE-2025-3782 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts via the ‘id’ parameter due to insufficient input sanitization and output escaping, which execute whenever a user accesses an injected page. To address this issue, users should upgrade Cision Block plugin to versions 4.4.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3782.
Read more CMS
In AHAthat plugin for WordPress versions up to and including 1.6 a medium severity vulnerability CVE-2025-4337 was detected. This vulnerability allows unauthenticated attackers to delete AHA pages via a forged request by exploiting missing or incorrect nonce validation in the aha_plugin_page() function, provided they can trick a site administrator into performing an action such as clicking a malicious link. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4337.
Read more CMS
In Envolve Plugin versions up to and including 1.0 a medium severity vulnerability CVE-2024-11615 was detected. This vulnerability allows unauthenticated attackers to delete language files via the `zetra_deleteLanguageFile` and `zetra_deleteFontsFile` functions due to insufficient validation of file paths. To address this issue, users should upgrade Envolve plugin to versions 1.1.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-11615.
Read more CMS
In Vault Community Edition versions prior to 1.19.3, and in Vault Enterprise versions from 0.3.0 up to 1.19.2, 1.18.8, 1.17.15 and 1.16.19 a medium severity vulnerability CVE-2025-4166 was detected. This vulnerability allows attackers to unintentionally expose sensitive information in server and audit logs when submitting malformed payloads via the REST API during secret creation or updates. To address this issue, users should upgrade Vault Community to versions 1.19.3 or Vault Enterprise to versions 1.19.3, 1.18.9, 1.17.16 or 1.16.20. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4166.
Read more Security
In Vault Community Edition versions from 0.10.0 up to 1.19.0, and Vault Enterprise from 0.10.0 up to 1.19.0, 1.18.6, 1.17.13 and 1.16.17 a medium severity vulnerability CVE-2025-3879 was detected. This vulnerability allows attackers to bypass the `bound_locations` parameter during login due to improper validation of claims in Azure-issued tokens within the Azure Auth method. To address this issue, users should upgrade Vault Community to versions 1.19.1 or Vault Enterprise to versions 1.19.1, 1.18.7, 1.17.14 or 1.16.18. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3879.
Read more Security
In SurveyJS plugin for WordPress versions up to and including 1.12.32 a medium severity vulnerability CVE-2025-3815 was detected. This vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary JavaScript via the `id` parameter due to insufficient input sanitization and output escaping, resulting in Stored Cross-Site Scripting (XSS). To address this issue, users should upgrade SurveyJS plugin to versions 1.12.33 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3815.
Read more CMS