In Strapi versions 5.0.0 through 5.5.1 a high severity vulnerability CVE-2024-56143 was detected. The lookup operator in the document service does not properly sanitize query parameters for private fields, allowing an attacker to access sensitive information such as admin passwords and reset tokens. To address this issue, users should upgrade Strapi to version 5.5.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-56143.
Read more Application Development
In Mastodon versions 4.2.27 through 4.2.x, 4.3.0 through 4.3.14, and 4.4.0 through 4.4.6 a medium severity vulnerability CVE-2025-62176 was detected. The streaming server serves public timeline events to clients with valid tokens even if they lack the read:statuses scope, allowing limited access to new public posts. To address this issue, users should upgrade Mastodon to versions 4.2.27, 4.3.14, or 4.4.6 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62176.
Read more Communication
In Mastodon versions 4.2.27 through 4.2.x, 4.3.0 through 4.3.14, and 4.4.0 through 4.4.6 a medium severity vulnerability CVE-2025-62175 was detected. Disabling or suspending user accounts does not disconnect them from the streaming API, allowing continued access to real-time updates. To address this issue, users should upgrade Mastodon to versions 4.2.27, 4.3.14, or 4.4.6 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62175.
Read more Communication
In Mastodon versions 4.2.27 through 4.2.x, 4.3.0 through 4.3.14, and 4.4.0 through 4.4.6 a low severity vulnerability CVE-2025-62174 was detected. Active sessions and access tokens are not revoked when a user’s password is reset via the command-line interface, allowing continued access to the account. To address this issue, users should upgrade Mastodon to versions 4.2.27, 4.3.14, or 4.4.6 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62174.
Read more Communication
In Spring Framework versions 6.2.0 through 6.2.11, 6.1.0 through 6.1.23, and 5.3.0 through 5.3.45 a medium severity vulnerability CVE-2025-41254 was detected. STOMP over WebSocket applications may allow an attacker to send unauthorized messages. To address this issue, users should upgrade Spring Framework to versions 6.2.12, 6.1.24, or 5.3.46 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-41254.
Read more Application Development
In Strapi versions prior to 5.20.0 a medium severity vulnerability CVE-2025-53092 was detected. Default installations of Strapi reflect the value of the Origin header back in the Access-Control-Allow-Origin response header without proper validation or whitelisting. This allows an attacker-controlled site to send credentialed requests to the Strapi backend, potentially exposing sensitive data. To address this issue, users should upgrade Strapi to version 5.20.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-53092.
Read more Application Development
In Strapi versions prior to 5.10.3 a medium severity vulnerability CVE-2025-25298 was detected. The @strapi/core package does not enforce a maximum password length when using bcryptjs for password hashing. Passwords longer than 72 bytes are silently truncated, reducing effective entropy and potentially misleading users about password strength. To address this issue, users should upgrade Strapi to version 5.10.3 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-25298.
Read more Application Development
In Strapi versions prior to 5.24.1 a medium severity vulnerability CVE-2025-3930 was detected. JWT tokens are not invalidated after logout or account deactivation, allowing an attacker who has stolen or intercepted a token to reuse it until its expiration. The existence of the /admin/renew-token endpoint allows near-expiration tokens to be renewed indefinitely, increasing the potential impact. To address this issue, users should upgrade Strapi to version 5.24.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3930.
Read more Application Development
In Mattermost versions 10.5.x through 10.5.10 and 10.11.x through 10.11.2 a low severity vulnerability CVE-2025-10545 was detected. Improper validation of guest user permissions allows attackers to add any team members to private channels via the /api/v4/channels/{channel_id}/members endpoint. To address this issue, users should upgrade to Mattermost versions 10.5.11, 10.11.3, or 10.12.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-10545.
Read more Communication