In SSP Debug plugin for WordPress versions up to and including 1.0.0 a medium severity vulnerability CVE-2025-13494 was identified. This vulnerability occurs because the plugin stores PHP error logs in a predictable, publicly accessible location without any access controls, allowing unauthenticated attackers to retrieve sensitive debugging information such as URLs, client IP addresses, User-Agent strings, WordPress user IDs, and internal filesystem paths. To address this issue, users should upgrade the plugin to a fixed version once it becomes available. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-13494.
Read more CMS
In Django versions 5.2 before 5.2.9, 5.1 before 5.1.15 and 4.2 before 4.2.27 a high severity vulnerability CVE-2025-64460 was detected. This vulnerability allows attackers to trigger a denial-of-service condition by submitting specially crafted XML input that causes excessive CPU and memory consumption during XML deserialization. To address this issue, users should upgrade Django to versions 5.2.9, 5.1.15 or 4.2.27. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-64460.
Read more Application Development
In Django versions 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27 a medium severity vulnerability CVE-2025-13372 was detected. This vulnerability allows attackers to perform SQL injection by abusing `FilteredRelation` column aliases through crafted dictionary expansions passed to `QuerySet.annotate()` or `QuerySet.alias()` on PostgreSQL. To address this issue, users should upgrade Django to versions 5.2.9, 5.1.15 or 4.2.27. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-13372.
Read more Application Development
In GitLab CE/EE versions 18.4 prior to 18.4.5, 18.5 prior to 18.5.3 and 18.6 prior to 18.6.1 a high severity vulnerability CVE-2024-9183 was detected. This vulnerability allows authenticated attackers, under specific conditions, to exploit a time-of-check time-of-use (TOCTOU) race condition to obtain credentials from higher-privileged users and perform unauthorized actions in their context. To address this issue, users should upgrade GitLab CE/EE to versions 18.4.5, 18.5.3 or 18.6.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-9183.
Read more Developer Tools
In Mattermost versions 10.11.x up to 10.11.4 and 10.5.x up to 10.5.12 a low severity vulnerability CVE-2025-13870 was detected. This vulnerability allows authenticated users to bypass permission checks when accessing board files or subscribing to blocks, enabling access to files and subscriptions from boards they should not have access to. To address this issue, users should upgrade Mattermost to versions 10.11.5 or 10.5.13. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-13870.
Read more Communication
In Mattermost versions 11.0.x up to 11.0.2, 10.12.x up to 10.12.1, 10.11.x up to 10.11.4 and 10.5.x up to 10.5.12 a medium severity vulnerability CVE-2025-12756 was detected. This vulnerability allows authenticated users with the editor role to bypass permission checks and delete comments created by other users in Boards. To address this issue, users should upgrade Mattermost to versions 11.0.3 or later, 10.12.2 or later, 10.11.5 or later, and 10.5.13 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-12756.
Read more Communication
In Nexus Repository versions 3.83.0 through 3.83.x a medium severity vulnerability CVE-2025-13488 was detected. Due to a regression introduced in version 3.83.0, a security header is no longer applied to certain user-uploaded content served from repositories. This vulnerability allows an authenticated attacker with repository upload privileges to exploit a stored cross-site scripting (XSS) vulnerability in the context of the user. To address this issue, users should upgrade Nexus Repository to version 3.84.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-13488.
Read more Developer Tools
In Easy Jump Links Menus plugin for WordPress versions up to and including 1.0.0 a medium severity vulnerability CVE-2025-13860 was identified. This vulnerability stems from insufficient input sanitization and output escaping of the h_tags parameter, allowing authenticated attackers with Contributor-level access and above to perform Stored Cross-Site Scripting (XSS). Successful exploitation enables injection of arbitrary web scripts that execute whenever a user accesses an infected page. To address this issue, users should upgrade the plugin to version 1.0.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-13860.
Read more CMS
In Feedback Modal for Website plugin for WordPress versions up to and including 1.0.1 a medium severity vulnerability CVE-2025-13528 was identified. This vulnerability stems from a missing capability check on the handle_export function, allowing unauthenticated attackers to export all feedback data in CSV or JSON format via the export_data parameter. This can lead to unauthorized disclosure of sensitive user feedback information. To address this issue, users should upgrade the plugin to version 1.0.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-13528
Read more CMS