In Discourse versions prior to 3.5.4, 2025.11.2, 2025.12.1 and 2026.1.0 a medium severity vulnerability CVE-2025-66488 was detected. This vulnerability affects installations using Amazon S3 for uploads and allows scripts to be executed in the context of the S3 or CDN domain due to improper handling of uploaded HTML or XML files. To address this issue, users should upgrade Discourse to versions 3.5.4, 2025.11.2, 2025.12.1 or 2026.1.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-66488.
Read more Communication
In the Drupal Form Builder module versions from 7.x-1.0 through 7.x-1.22 a medium severity vulnerability CVE-2026-0749 was detected. This vulnerability allows attackers to inject and execute arbitrary scripts in a victim’s browser due to improper neutralization of user-supplied input during web page generation. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-0749.
Read more CMS
In Discourse versions prior to 3.5.4, 2025.11.2, 2025.12.1 and 2026.1.0 a medium severity vulnerability CVE-2025-68659 was detected. This vulnerability allows attackers to trigger an application-level denial of service by sending oversized JSON payloads to the username change endpoint (PUT /u//preferences/username), causing server delays and resource exhaustion that degrade performance for other users and services. To address this issue, users should upgrade Discourse to versions 3.5.4, 2025.11.2, 2025.12.1 or 2026.1.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-68659.
Read more Communication
In MongoDB Server versions prior to 7.0.28, 8.0.17, 8.2.3, 6.0.27, 5.0.32, 4.4.30, and versions greater than or equal to 4.2.0, 4.0.0, and 3.6.0 a high severity vulnerability CVE-2025-14847 was detected. This vulnerability may allow an unauthenticated client to read uninitialized heap memory due to mismatched length fields in Zlib compressed protocol headers. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-14847.
Read more Database
In Jenkins versions 2.56 and earlier, including LTS 2.46.1 and earlier a critical severity vulnerability CVE-2017-1000353 was detected. This vulnerability allows unauthenticated attackers to execute arbitrary code by sending a serialized Java SignedObject to the Jenkins CLI, bypassing existing blacklist-based protections. To address this issue, users should upgrade Jenkins to version 2.57 or LTS 2.46.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2017-1000353.
Read more Newsflash Developer Tools
In Discourse versions prior to 3.5.3, 2025.11.1 and 2025.12.0 a medium severity vulnerability CVE-2025-64528 was detected. This vulnerability allows attackers to discover user identities by searching for partial usernames, even when the enable_names setting is disabled, potentially exposing private user information through the UI or API. To address this issue, users should upgrade Discourse to versions 3.5.3, 2025.11.1, 2025.12.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-64528.
Read more Communication
In Temporal versions through 1.29.1 a medium severity vulnerability CVE-2025-14987 was detected. This vulnerability allows attackers to perform unauthorized cross-namespace workflow actions due to improper authorization checks when handling workflow task commands, enabling a worker authorized for one namespace to create, signal, or cancel workflows in another namespace. To address this issue, users should upgrade Temporal to versions 1.27.4, 1.28.2 or 1.29.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-14987.
Read more Application Development
In Temporal versions 1.24.0 through 1.29.1 a low severity vulnerability CVE-2025-14986 was detected. This vulnerability allows an attacker authorized in one namespace to bypass namespace-level policy enforcement by exploiting the ExecuteMultiOperation feature, causing validation to occur against an incorrect namespace and enabling operations governed by another namespace’s policies. To address this issue, users should upgrade Temporal to versions 1.27.4, 1.28.2 or 1.29.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-14986.
Read more Application Development
In PHP versions 8.1 before 8.1.34, 8.2 before 8.2.30, 8.3 before 8.3.29, and 8.4 before 8.4.16 a high severity vulnerability CVE-2025-14180 was detected. This vulnerability affects the PDO PostgreSQL driver when PDO::ATTR_EMULATE_PREPARES is enabled and may lead to a null pointer dereference caused by invalid character sequences in prepared statement parameters, resulting in server crashes and reduced availability. To address this issue, users should upgrade to PHP version 8.1.34, 8.2.30, 8.3.29, 8.4.16 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-14180.
Read more Web Development