In Wazuh Agent versions prior to 4.13.0 a high severity vulnerability CVE-2025-30201 was detected. This vulnerability allows authenticated attackers to force NTLM authentication via malicious UNC paths in agent configuration settings, potentially enabling NTLM relay attacks that could lead to privilege escalation and remote code execution. To address this issue, users should upgrade Wazuh to version 4.13.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-30201.
Read more SecurityIn LimeSurvey versions up to and including 6.13.0 a medium severity vulnerability CVE-2025-41074 was detected. This issue allows unauthenticated attackers to trigger an infinite redirect loop by directly accessing the /optout endpoint, potentially leading to a denial‑of‑service condition through excessive server or client resource consumption. To address this issue, users should upgrade LimeSurvey to version 6.15.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-41074.
Read more CommunicationIn GitLab CE/EE versions 13.7 through 18.2.8, 18.3 before 18.3.4, and 18.4 before 18.4.2 a medium severity vulnerability CVE-2025-9825 was detected. This issue allows authenticated users without project membership to access sensitive manual CI/CD variables by querying the GraphQL API. These variables may contain confidential configuration details intended only for project members. To address this issue, users should upgrade GitLab to versions 18.2.9, 18.3.4, 18.4.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-9825.
Read more Developer ToolsIn Code Snippets plugin versions up to and including 3.9.1 a high severity vulnerability CVE-2025-13035 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to execute arbitrary PHP code on the server via the [code_snippet] shortcode, due to the plugin using extract() on attacker-controlled shortcode attributes in the evaluate_shortcode_from_flat_file method, which can overwrite the $filepath variable that is later passed to require_once. Exploitation requires that the administrator has enabled the “Enable file-based execution” setting and that there is at least one active Content snippet. To address this issue, users should upgrade the plugin to version 3.9.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-13035.
Read more CMSIn FunnelKit – Funnel Builder for WooCommerce Checkout plugin versions up to and including 3.13.1.2 a medium severity vulnerability CVE-2025-12878 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts via the wfop_phone shortcode’s default attribute, due to insufficient input sanitization and output escaping. These scripts will execute whenever a user accesses a page containing the injected shortcode. To address this issue, users should upgrade to version 3.13.1.3 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-12878.
Read more CMSIn SiteSEO – SEO Simplified plugin versions up to and including 1.3.2 a medium severity vulnerability CVE-2025-12814 was detected. This vulnerability allows authenticated attackers with access to at least one SiteSEO setting capability to reset the plugin’s settings due to an incorrect capability check on the siteseo_reset_settings function. To address this issue, users should upgrade the plugin to version 1.3.3 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-12814.
Read more CMSIn WSChat – WordPress Live Chat plugin versions up to and including 3.1.6 a medium severity vulnerability CVE-2025-12751 was detected. This vulnerability allows authenticated attackers with Subscriber-level access and above to reset the plugin’s settings due to a missing capability check on the ‘reset_settings’ AJAX endpoint. To address this issue, users should upgrade the plugin to version 3.1.7 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-12751.
Read more CMSIn authentik versions prior to 2025.8.5 and 2025.10.2 a medium severity vulnerability CVE-2025-64708 was detected. This vulnerability allows expired invitations to remain valid because invitation validation relied solely on background cleanup tasks, which normally run every five minutes but may be delayed when a large backlog of tasks exists. As a result, expired invitations could still be used until the cleanup occurred. To address this issue, users should upgrade authentik to versions 2025.8.5, 2025.10.2, or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-64708.
Read more SecurityIn authentik versions prior to 2025.8.5 and 2025.10.2 a medium severity vulnerability CVE-2025-64521 was detected. This vulnerability allows authentication to succeed for service accounts created for OAuth providers even when those accounts are deactivated, while other permission checks and assigned policies continue to function correctly. To address this issue, users should upgrade authentik to versions 2025.8.5, 2025.10.2, or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-64521.
Read more Security