In Python versions 3.12 and later a high severity vulnerability CVE-2024-12718 was detected in the `tarfile` module. This vulnerability allows attackers to modify file metadata (e.g., last modified timestamps) or file permissions (e.g., chmod) of files outside the extraction directory when using `TarFile.extract()` or `TarFile.extractall()` with the `filter` parameter set to `”data”` or `”tar”`. To address this issue, users should upgrade Python to versions 3.13.4, 3.12.11, 3.11.13 or 3.10.18. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-12718.
Read more Application Development
In Profile Builder plugin for WordPress versions up to and including 3.13.8 a medium severity vulnerability CVE-2025-4671 was detected. This vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts via the `user_meta` and `compare` shortcodes, due to insufficient input sanitization and output escaping. To address this issue, users should upgrade Profile Builder plugin to versions 3.13.9 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4671.
Read more CMS
In File Provider plugin for WordPress versions through 1.2.3 a medium severity vulnerability CVE-2025-4580 was detected. This vulnerability allows attackers to perform Cross-Site Request Forgery (CSRF) attacks, enabling them to change plugin settings if a logged-in admin visits a malicious site. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4580.
Read more CMS
In Popup Maker plugin for WordPress versions up to and including 1.20.4 a medium severity vulnerability CVE-2025-4205 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to inject malicious scripts via the ‘popupID’ parameter, leading to Stored Cross-Site Scripting (XSS) that executes when a user accesses the affected page. To address this issue, users should upgrade Popup Maker plugin to versions 1.20.5 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4205.
Read more CMS
In Traefik versions 2.11.24 and prior, 3.4.0 and prior a low severity vulnerability CVE-2025-47952 was detected. This vulnerability allows attackers to bypass the middleware chain and target unintended backends by exploiting URL-encoded strings in the request path when PathPrefix, Path, or PathRegex matchers are used. To address this issue, users should upgrade to versions 2.11.25, 3.4.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-47952.
Read more Security
In Zitadel versions prior to 2.70.12, 2.71.10 and 3.2.2 a high severity vulnerability CVE-2025-48936 was detected. This vulnerability allows attackers to manipulate the Forwarded or X-Forwarded-Host headers to generate password reset links pointing to malicious domains. If users click these links, attackers could capture the embedded reset code and gain unauthorized access to their accounts. To address this issue, users should upgrade Zitadel to versions 2.70.12, 2.71.10 or 3.2.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-48936.
Read more DevOps
In Mattermost versions 10.7.x ≤ 10.7.0, 10.5.x ≤ 10.5.3 and 9.11.x ≤ 9.11.12 a medium severity vulnerability CVE-2025-3611 was detected. This vulnerability allows authenticated users with System Manager privileges to bypass configured access restrictions and view team details through direct API requests, even when access to Teams is explicitly denied in the System Console. To address this issue, users should upgrade Mattermost to versions 10.7.1, 10.5.4, 9.11.13 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3611.
Read more Communication
In Mattermost versions 10.7.x ≤ 10.7.0, 10.6.x ≤ 10.6.2, 10.5.x ≤ 10.5.3 and 9.11.x ≤ 9.11.12 a medium severity vulnerability CVE-2025-3230 was detected. This vulnerability allows deactivated users to retain full system access by continuing to use previously issued personal access tokens, due to improper invalidation of these tokens after deactivation. To address this issue, users should upgrade Mattermost to versions 10.8.0, 10.7.1, 10.6.3, 10.5.4, 9.11.13 or higher. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3230.
Read more Communication
In Mattermost versions 10.7.x ≤ 10.7.0, 10.6.x ≤ 10.6.2, 10.5.x ≤ 10.5.3 and 9.11.x ≤ 9.11.12 a medium severity vulnerability CVE-2025-2571 was detected. This vulnerability allows attackers to gain unauthorized access to bot accounts via the Google OAuth signup flow, due to failure to clear associated Google OAuth credentials when converting user accounts to bot accounts. To address this issue, users should upgrade Mattermost to versions 10.7.1, 10.6.3, 10.5.4 and 9.11.13. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2571.
Read more Communication