In Kibana versions 7.0.0-alpha1 and prior, from 8.0.0 up to and including 8.19.8, from 9.0.0 up to and including 9.1.8, from 9.2.0 up to and including 9.2.2 a medium severity vulnerability CVE-2025-68389 was detected. This vulnerability is caused by allocation of resources without limits or throttling (CWE-770), allowing a low-privileged authenticated attacker to trigger excessive resource consumption through a crafted HTTP request, resulting in a denial of service (DoS) of the Kibana process. To address this issue, users should upgrade Kibana to versions 8.19.9, 9.1.9 and 9.2.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-68389.
Read more Data AnalyticsIn Kibana versions 7.0.0-alpha1 and prior, from 8.0.0 up to and including 8.19.8, from 9.0.0 up to and including 9.1.8, from 9.2.0 up to and including 9.2.2 a medium severity vulnerability CVE-2025-68387 was detected. This vulnerability stems from improper input neutralization during web page generation (CWE-79) in a Vega AST evaluator function handler, allowing unauthenticated attackers to inject malicious scripts that are served to users’ browsers and execute arbitrary code via cross-site scripting (XSS). To address this issue, users should upgrade Kibana to versions 8.19.9, 9.1.9 and 9.2.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-68387.
Read more Data AnalyticsIn MongoDB Server versions before 8.0.16, 7.0.26, and 8.2.2 a low severity vulnerability CVE-2025-14345 was detected. This vulnerability can cause temporary data inconsistencies in cross-shard transactions. To fix this issue, users should upgrade to MongoDB Server versions 8.0.16, 7.0.26 or 8.2.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-14345.
Read more DatabaseIn ZITADEL versions 2.44.0 through 3.4.4 and 4.0.0-rc.1 through 4.7.1 a medium severity vulnerability CVE-2025-67717 was detected. This vulnerability allows authenticated users to view the total number of instance users via the totalResult field, regardless of their permissions, potentially disclosing sensitive information. To address this issue users should upgrade to ZITADEL versions 3.4.5, 4.7.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-67717.
Read more Developer ToolsIn ZITADEL versions 2.44.0 through 3.4.4 and 4.0.0-rc.1 through 4.7.1 a medium severity vulnerability CVE-2025-67717 was detected. This vulnerability allows authenticated users to view the total number of instance users via the totalResult field regardless of their assigned permissions, leading to information disclosure that may be sensitive in certain contexts. To address this issue, users should upgrade ZITADEL to versions 3.4.5 or 4.7.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-67717.
Read more Developer ToolsIn Elasticsearch versions 7.0.0-alpha1 and prior, prior to 8.19.8, 9.0.0-beta1 and prior, prior to 9.1.8, 9.2.0 and prior, prior to 9.2.21 a medium severity vulnerability CVE-2025-37731 was detected. This vulnerability allows attackers to impersonate legitimate users through improper authentication in the PKI realm by using specially crafted client certificates signed by a trusted Certificate Authority. To address this issue, users should upgrade Elasticsearch to versions 8.19.8, 9.1.8 or 9.2.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-37731.
Read more Data AnalyticsIn Kibana versions 7.0.0-alpha1 and prior, prior to 8.19.8, 9.0.0-beta1 and prior, prior to 9.1.8, 9.2.0 and prior, prior to 9.2.21 a medium severity vulnerability CVE-2025-37732 was detected. This vulnerability allows an authenticated attacker to perform cross-site scripting (XSS) by rendering arbitrary HTML tags in a user’s browser through the integration package upload functionality, bypassing a previous fix related to ESA-2025-17 (CVE-2025-25018) and enabling HTML injection during web page generation. To address this issue, users should upgrade Kibana to versions 8.19.8, 9.1.8 or 9.2.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-37732.
Read more Data AnalyticsIn Apache HTTP Server versions from 2.4.7 up to 2.4.65 a low severity vulnerability CVE-2025-66200 was detected. This vulnerability allows users with access to the RequestHeader directive in .htaccess files to bypass mod_userdir and suexec protections, causing some CGI scripts to run under an unexpected user ID, which may lead to unauthorized access or execution of malicious scripts. To address this issue users must upgrade to Apache HTTP Server version 2.4.66 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-66200.
Read more Application DevelopmentIn Apache HTTP Server versions from 2.4.0 up to 2.4.65 a low severity vulnerability CVE-2025-65082 was detected. This vulnerability allows environment variables set via the Apache configuration to unexpectedly supersede variables calculated by the server for CGI programs due to improper neutralization of escape, meta, or control sequences. To address this issue, users must upgrade to Apache HTTP Server version 2.4.66 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-65082.
Read more Application Development