In Apache Spark versions before 3.4.4, 3.5.2, and 4.0.0 a medium severity vulnerability CVE-2025-55039 was detected. When spark.network.crypto.enabled is true but spark.network.crypto.cipher is not explicitly configured, Spark defaults to AES in CTR mode (AES/CTR/NoPadding), which provides encryption without authentication. This allows a man-in-the-middle attacker to modify encrypted RPC traffic undetected, potentially compromising heartbeat messages or application data and affecting the integrity of Spark workflows. To address this issue, users should upgrade Apache Spark to 3.4.4, 3.5.2, or 4.0.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-55039.
Read more Data Analytics
In Mattermost versions 10.5.x through 10.5.10, 10.10.x through 10.10.2, and 10.11.x through 10.11.1 a high severity vulnerability CVE-2025-58073 was detected. Improper validation of the OAuth state parameter allows attackers to join any team on a Mattermost server, bypassing invite restrictions. To address this issue, users should upgrade to Mattermost versions 10.5.11, 10.10.3, 10.11.2, or 10.12.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-58073.
Read more Communication
In Mattermost Desktop App versions up to 5.13.0 a medium severity vulnerability CVE-2025-55035 was detected. Improper handling of modal dialogs for servers using basic authentication allows an attacker to deny access to the Desktop App. By tricking a user into configuring a malicious server, a modal popup can be triggered that cannot be closed, effectively causing a denial of service. To address this issue, users should upgrade to Mattermost Desktop App version 5.13.1.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-55035.
Read more Communication
In Mattermost versions 10.5.x through 10.5.10 and 10.11.x through 10.11.2 a low severity vulnerability CVE-2025-54499 was detected. Improper handling of sensitive string comparisons without constant-time enforcement allows attackers to exploit timing differences to perform byte-by-byte brute force attacks on Cloud API keys and OAuth client secrets. To address this issue, users should upgrade to Mattermost versions 10.5.11, 10.11.3, or 10.12.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-54499.
Read more Communication
In Mattermost versions 10.5.x through 10.5.10 and 10.11.x through 10.11.2 a medium severity vulnerability CVE-2025-41443 was detected. Improper validation of guest user permissions allows attackers to discover active public channels and their metadata via the /api/v4/teams/{team_id}/channels/ids endpoint. To address this issue, users should upgrade to Mattermost versions 10.5.11, 10.11.3, or 10.12.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-41443.
Read more Communication
In Mattermost versions 10.5.x through 10.5.10, 10.10.x through 10.10.2, and 10.11.x through 10.11.2 a medium severity vulnerability CVE-2025-41410 was detected. Improper validation of email ownership during the Slack import process allows attackers to create verified user accounts with arbitrary email domains, bypassing email-based team access restrictions. To address this issue, users should upgrade to Mattermost versions 10.5.11, 10.10.3, 10.11.3, or 10.12.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-41410.
Read more Communication
In Liferay Portal versions 7.4.0 through 7.4.3.111 and older unsupported versions, and Liferay DXP versions 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, and older unsupported versions a medium severity vulnerability CVE-2025-62246 was detected. Multiple stored cross-site scripting (XSS) vulnerabilities allow remote authenticated users to inject arbitrary web script or HTML via crafted payloads in a user’s first, middle, or last name fields. The injected payloads may execute in multiple components, including page comments, blog entries, document and media comments, message board messages, wiki page comments, and other widgets or apps supporting mentions. To address this issue, users should upgrade to Liferay Portal 7.4.3.112, Liferay DXP 2024.Q1.1, 2023.Q4.6, or 2023.Q3.9. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62246.
Read more CMS
In Liferay Portal versions 7.3.1 through 7.4.3.111 and Liferay DXP versions 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, and 7.3 GA through update 36 a medium severity vulnerability CVE-2025-62244 was detected. An insecure direct object reference (IDOR) vulnerability in the Publications module allows remote authenticated users to access and view the edit page of a publication by manipulating the _com_liferay_change_tracking_web_portlet_PublicationsPortlet_ctCollectionId parameter. To address this issue, users should upgrade to Liferay Portal 7.4.3.112, Liferay DXP 2024.Q1.1, 2023.Q4.6, or 2023.Q3.9. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62244.
Read more CMS
In Liferay Portal versions 7.4.1 through 7.4.3.112 and Liferay DXP versions 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92 a medium severity vulnerability CVE-2025-62243 was detected. Insecure direct object reference (IDOR) flaws in the Publications module allow remote authenticated users to view publication comments via the _com_liferay_change_tracking_web_portlet_PublicationsPortlet_value parameter and edit them through crafted URLs due to missing permission checks. To address this issue, users should upgrade to Liferay Portal 7.4.3.113, Liferay DXP 2024.Q2.0, 2024.Q1.1, 2023.Q4.6, or 2023.Q3.9. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62243.
Read more CMS