In Mattermost versions 10.11.x through 10.11.3 and 10.5.x through 10.5.11 a low severity vulnerability CVE-2025-55074 was detected. This vulnerability causes Mattermost to fail to enforce access permissions on the Agents plugin, allowing other users to determine when users had read channels via channel member objects. Fixed versions include 11.0.0, 10.11.4, and 10.5.12. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-55074.
Read more CommunicationIn RTMKit Addons for Elementor plugin versions up to and including 1.6.1 a medium severity vulnerability CVE-2025-8609 was detected. This vulnerability allows authenticated attackers with contributor-level access and above to perform Stored Cross-Site Scripting via the plugin’s Accordion Block attributes due to insufficient sanitization and escaping of user-supplied input, causing injected scripts to run when a user views an affected page. To address this issue, users should upgrade the plugin to version 1.6.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-8609.
Read more CMSIn Gutenify – Visual Site Builder Blocks & Site Templates plugin versions up to and including 1.5.9 a medium severity vulnerability CVE-2025-8605 was detected. This vulnerability allows authenticated attackers with contributor-level access and above to perform Stored Cross-Site Scripting by abusing insufficient input sanitization and output escaping on block attributes, enabling malicious scripts to execute whenever a user accesses an affected page. To address this issue, users should upgrade the plugin to version 1.6.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-8605.
Read more CMSIn AI Engine plugin versions up to and including 3.1.8 a medium severity vulnerability CVE-2025-8084 was detected. This vulnerability allows authenticated attackers with Editor-level access and above to perform Server-Side Request Forgery via the rest_helpers_create_images function, enabling them to make web requests to arbitrary locations from the web application. On Cloud instances, this can lead to metadata retrieval and unauthorized querying or modification of internal services. To address this issue, users should upgrade the plugin to version 3.1.9 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-8084.
Read more CMSIn Mattermost versions prior to 11 a medium severity vulnerability CVE-2025-11776 was identified. This vulnerability allows guest users to bypass access restrictions on the archived channel search API and discover archived public channels via the /api/v4/teams/{team_id}/channels/search_archived endpoint. To fix this vulnerability, users should upgrade Mattermost to version 11 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-11776.
Read more CommunicationMattermost versions 10.11.x through 10.11.3, 10.5.x through 10.5.11, and 10.12.x through 10.12.0 contain a medium severity vulnerability CVE-2025-11794. This vulnerability allows system administrators to access password hashes and MFA secrets due to improper sanitization of user data in the POST /api/v4/users/{user_id}/email/verify/member endpoint. To address this issue, users should upgrade Mattermost to version 10.11.4, 10.5.12, or 10.12.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-11794.
Read more CommunicationGitLab CE/EE versions 16.7 through 18.3.5, 18.4 through 18.4.3, and 18.5 through 18.5.1 contain a medium severity vulnerability CVE-2025-2615. This vulnerability could allow a blocked user to access sensitive information by establishing GraphQL subscriptions through WebSocket connections. To address this issue, users should upgrade GitLab to version 18.3.6, 18.4.4, 18.5.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2615.
Read more Developer ToolsThe Coil Web Monetization plugin for WordPress versions up to and including 2.0.2 contains a medium severity vulnerability CVE-2025-9625. This vulnerability is caused by missing or incorrect nonce validation on the coil-get-css-selector parameter in the maybe_restrict_content function, allowing unauthenticated attackers to trigger CSS selector detection via a forged request if a site administrator is tricked into clicking a malicious link. To address this issue, users should upgrade the plugin to version 2.0.3 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-9625.
Read more CMSThe RTMKit Addons for Elementor plugin for WordPress versions up to and including 1.6.1 contains a medium severity vulnerability CVE-2025-8609. This vulnerability is caused by insufficient input sanitization and output escaping on the plugin’s Accordion Block attributes, allowing authenticated attackers with contributor-level access and above to inject arbitrary web scripts that execute whenever a user accesses the infected page. To address this issue, users should upgrade the plugin to version 1.6.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-8609.
Read more CMS