In Liferay Portal 7.3.7 through 7.4.3.103, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 service pack 3 through update 36 a medium severity vulnerability CVE-2025-62263 was detected. This vulnerability allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an Account Role’s “Title” text field and an Organization’s “Name” text field, potentially leading to stored cross-site scripting (XSS) on multiple pages. To fix this issue, users should upgrade to Liferay Portal 7.4.3.104, Liferay DXP 2024.Q1.1, Liferay DXP 2023.Q4.0, or Liferay DXP 2023.Q3.5. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62263.
Read more CMS
In Liferay Portal 7.4.0 through 7.4.3.99, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 34, and older unsupported versions a medium severity vulnerability CVE-2025-62261 was detected. This vulnerability allows attackers with access to the database to obtain password reset tokens stored in plain text, reset a user’s password, and take over the user’s account. To fix this issue, users should upgrade to Liferay Portal 7.4.3.100, Liferay DXP 2024.Q1.1, Liferay DXP 2023.Q4.0, Liferay DXP 2023.Q3.5, or Liferay DXP 7.3 U35. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62261.
Read more CMS
In GitLab Enterprise Edition versions from 17.6.0 up to and including 18.3.4, from 18.4.0 up to and including 18.4.2, and from 18.5.0 up to and including 18.5.0 a low severity vulnerability CVE-2025-11989 was detected. This vulnerability allows an authenticated attacker to execute unauthorized quick actions by embedding malicious commands in specific descriptions. To address this issue, users should update GitLab to versions 18.3.5, 18.4.3, or 18.5.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-11989.
Read more Developer Tools
In GitLab Community and Enterprise Editions versions from 11.7.0 up to and including 18.3.4, from 18.4.0 up to and including 18.4.2, and from 18.5.0 up to and including 18.5.0 a medium severity vulnerability CVE-2025-11974 was detected. This vulnerability allows an unauthenticated attacker to cause a denial of service condition by uploading excessively large files to specific API endpoints without proper resource throttling. To address this issue, users should update GitLab to versions 18.3.5, 18.4.3, or 18.5.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-11974.
Read more Developer Tools
In GitLab Enterprise Edition versions from 10.6.0 up to and including 18.3.4, from 18.4.0 up to and including 18.4.2, and from 18.5.0 up to and including 18.5.0 a medium severity vulnerability CVE-2025-11971 was detected. This vulnerability allows an authenticated attacker to trigger unauthorized pipeline executions by manipulating commits due to improper authorization validation. To address this issue, users should update GitLab to versions 18.3.5, 18.4.3, or 18.5.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-11971.
Read more Developer Tools
In GitLab Community and Enterprise Edition versions from 11.0.0 up to and including 18.3.4, from 18.4.0 up to and including 18.4.2, and from 18.5.0 up to and including 18.5.0 a high severity vulnerability CVE-2025-11447 was detected. This vulnerability allows an unauthenticated attacker to cause a denial of service condition by sending crafted GraphQL requests that consume excessive resources due to missing rate limits and throttling. To address this issue, users should update GitLab to versions 18.3.5, 18.4.3, or 18.5.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-11447.
Read more Developer Tools
In GitLab Community and Enterprise Edition versions from 17.10.0 up to and including 18.3.4, from 18.4.0 up to and including 18.4.2, and from 18.5.0 up to and including 18.5.0 a high severity vulnerability CVE-2025-10497 was detected. This vulnerability allows an unauthenticated attacker to cause a denial of service condition by sending specially crafted payloads that consume excessive system resources due to missing rate limits and throttling. To address this issue, users should update GitLab to versions 18.3.5, 18.4.3, or 18.5.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-10497.
Read more Developer Tools
In Vault Community Edition versions 0.6.0 up to 1.20.4, and in Vault Enterprise versions 0.6.0 up to 1.20.4, 1.19.10, 1.18.15, and 1.16.26 a high severity vulnerability CVE-2025-11621 was detected. This vulnerability allows an attacker to bypass AWS authentication when the role of the configured bound_principal_iam is the same across AWS accounts or uses a wildcard. To address this issue, users should update to Vault Community Edition 1.21.0 or Vault Enterprise 1.21.0, 1.20.5, 1.19.11, or 1.16.27. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-11621.
Read more Security
In OpenVPN versions 2.7_alpha1 through 2.7_beta1 a high severity vulnerability CVE-2025-10680 was detected. This vulnerability allows a remote, authenticated OpenVPN server to inject and execute shell commands on POSIX-based clients via specially crafted DNS variables when the client is run with the –dns-updown option. To address this issue, users should upgrade OpenVPN to versions 2.7_beta2 or later (or otherwise avoid the vulnerable 2.7_alpha1–2.7_beta1 builds). For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-10680.
Read more Security