Our news and updates

In the Helpdesk Integration plugin for WordPress versions up to 5.8.10 a high severity vulnerability CVE-2025-9990 was detected. This vulnerability allows unauthenticated attackers to include and execute arbitrary .php files via the portal_type parameter, potentially bypassing access controls, obtaining sensitive data, or executing code. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-9990.

In PHP versions 8.1 before 8.1.34, 8.2 before 8.2.30, 8.3 before 8.3.29, and 8.4 before 8.4.16 a high severity vulnerability CVE-2025-14180 was detected. This vulnerability affects the PDO PostgreSQL driver when PDO::ATTR_EMULATE_PREPARES is enabled and may lead to a null pointer dereference caused by invalid character sequences in prepared statement parameters, resulting in server crashes and reduced availability. To address this issue, users should upgrade to PHP version 8.1.34, 8.2.30, 8.3.29, 8.4.16 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-14180.

In Gitea versions before 1.22.3 a medium severity vulnerability CVE-2025-68941 was detected. This vulnerability allows attackers to access private resources by using an API token that is restricted to public scopes, due to improper enforcement of access controls. To address this issue, users should upgrade Gitea to version 1.22.3 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-68941.

In Gitea versions before 1.23.0 a high severity vulnerability CVE-2025-68939 was detected. This vulnerability allows attackers to bypass forbidden file extension restrictions by modifying attachment names through the Attachment API, enabling the upload of potentially dangerous files. To address this issue, users should upgrade Gitea to version 1.23.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-68939.

In Gitea versions before 1.25.2 a medium severity vulnerability CVE-2025-68938 was detected. This vulnerability allows attackers to delete releases without proper authorization due to insufficient permission checks during the release deletion process. To address this issue, users should upgrade Gitea to version 1.25.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-68938.

In Kimai version 1.30.10 a critical severity vulnerability CVE-2023-53957 was detected. This vulnerability allows attackers to exploit improper SameSite cookie handling to steal user session cookies, potentially leading to session hijacking. An attacker can trick a victim into executing a crafted PHP script that captures and writes session cookie data, enabling unauthorized access to the user’s account. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2023-53957.

In Gitea versions before 1.21.2 a medium severity vulnerability CVE-2025-68945 was detected. This vulnerability allows unauthenticated users to access private projects due to improper access control enforcement. To address this issue, users should upgrade Gitea to version 1.21.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-68945.

In Gitea versions before 1.22.2 a medium severity vulnerability CVE-2025-68944 was detected. This vulnerability allows attackers to gain unauthorized access by exploiting improper propagation of token scopes within the package registry, potentially leading to access beyond intended permissions. To address this issue, users should upgrade Gitea to version 1.22.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-68944.