In the Dreamer Blog WordPress theme versions up to and including 1.2 a high severity vulnerability CVE-2025-10915 was detected. This vulnerability allows attackers to perform arbitrary installations due to a missing capability check, potentially enabling unauthorized actions that should be restricted to privileged users. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-10915.
Read more CMS Newsflash
In the Featured Image from URL (FIFU) plugin for WordPress versions up to and including 5.3.1 a medium severity vulnerability CVE-2025-13393 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to perform Server-Side Request Forgery (SSRF) attacks by supplying crafted URLs via the <code>fifu_input_url</code> parameter in the Elementor widget. The issue occurs due to insufficient validation of user-supplied URLs before they are passed to the <code>getimagesize()</code> function, allowing attackers to initiate arbitrary web requests from the server, including requests to internal services. To address this issue, users should upgrade the Featured Image from URL (FIFU) plugin to version 5.3.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-13393.
Read more CMS Newsflash
In GitLab CE/EE versions from 18.2.2 before 18.5.5, 18.6 before 18.6.3 and 18.7 before 18.7.1 a high severity vulnerability CVE-2025-9222 was detected. This vulnerability allows an authenticated attacker to perform stored cross-site scripting (XSS) by exploiting improper input neutralization in GitLab Flavored Markdown, leading to the execution of malicious scripts in users’ browsers. To address this issue, users should upgrade GitLab CE/EE to versions 18.5.5, 18.6.3, 18.7.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-9222.
Read more Newsflash Developer Tools
In GitLab CE/EE versions from 10.3 before 18.5.5, 18.6 before 18.6.3 and 18.7 before 18.7.1 a low severity vulnerability CVE-2025-3950 was detected. This vulnerability allows attackers to expose private or personal information by referencing specially crafted images that bypass GitLab’s asset proxy protection mechanisms. To address this issue, users should upgrade GitLab CE/EE to versions 18.5.5, 18.6.3, 18.7.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3950.
Read more Newsflash Developer Tools
In vLLM versions from 0.6.4 to before 0.12.0 a medium severity vulnerability CVE-2026-22773 was detected. This vulnerability allows attackers to crash the vLLM inference engine by sending a specially crafted 1×1 pixel image to multimodal models using the Idefics3 vision implementation, triggering a tensor dimension mismatch and an unhandled runtime error that terminates the server. To address this issue, users should upgrade vLLM to version 0.12.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-22773.
Read more Machine Learning
In vLLM versions prior to 0.11.1 a high severity vulnerability CVE-2025-66448 was detected. This vulnerability allows attackers to achieve remote code execution by abusing the auto_map field in model configuration files, causing vLLM to fetch and execute Python code from a remote repository even when trust_remote_code=False is set, enabling an attacker to execute arbitrary malicious code on the host by publishing a crafted model repository. To address this issue, users should upgrade vLLM to version 0.11.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-66448.
Read more Machine Learning
In Templately plugin for WordPress versions up to and including 3.4.8 a medium severity vulnerability CVE-2026-0831 was detected. This vulnerability allows attackers to write arbitrary `.ai.json` files to the uploads directory by exploiting insufficient input validation in the `save_template_to_file()` function, which uses user-controlled parameters to construct file paths without proper sanitization. To address this issue, users should upgrade Templately plugin to version 3.4.9 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-0831.
Read more CMS Newsflash
In the Phlox theme for WordPress versions up to and including 2.17.7 a medium severity vulnerability CVE-2025-4776 was detected. This vulnerability allows attackers with Contributor-level access and above to perform stored cross-site scripting (XSS) by injecting malicious scripts via the `data-caption` HTML attribute, which execute whenever a user accesses an affected page. To address this issue, users should upgrade Phlox theme to version 2.17.11 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4776.
Read more CMS Newsflash Business and Enterprise Solutions
In the FlexTable plugin for WordPress versions before 3.19.2 a low severity vulnerability CVE-2025-9543 was detected. This vulnerability allows attackers to perform stored cross-site scripting (XSS) by injecting malicious content through imported links from Google Sheet cells, potentially targeting high-privileged users such as administrators even when the `unfiltered_html` capability is disallowed. To address this issue, users should upgrade FlexTable plugin to version 3.19.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-9543.
Read more CMS Newsflash