In Rancher Manager versions 2.9.0 through 2.9.11, 2.10.0 through 2.10.9, 2.11.0 through 2.11.5, and 2.12.0 through 2.12.1 a high severity vulnerability CVE-2024-58260 was detected. A missing server-side validation on the .username field allows users with update permissions on other User resources to cause denial of access for targeted accounts, potentially impacting system availability and user access. To address this issue, users should upgrade Rancher Manager to versions 2.9.12, 2.10.10, 2.11.6, 2.12.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-58260.
Read more Developer Tools
In Redis versions 8.2.1 and below a high severity vulnerability CVE-2025-49844 was detected. Authenticated users can use a specially crafted Lua script to manipulate the garbage collector, triggering a use-after-free condition that may lead to remote code execution. This issue affects all Redis versions with Lua scripting enabled. To address this issue, users should upgrade Redis to version 8.2.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-49844.
Read more Database
In Redis versions 8.2.1 and below a medium severity vulnerability CVE-2025-46819 was detected. Authenticated users can use specially crafted Lua scripts to read out-of-bounds data or crash the server, leading to denial of service (DoS). This issue affects all Redis versions with Lua scripting enabled. To address this issue, users should upgrade Redis to version 8.2.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-46819.
Read more Database
In Rancher Manager versions 2.9.0 through 2.9.11, 2.10.0 through 2.10.9, 2.11.0 through 2.11.5, and 2.12.0 through 2.12.1 a medium severity vulnerability CVE-2025-54468 was detected. The /meta/proxy endpoint may send Impersonate-Extra-* headers to external entities, such as amazonaws.com. These headers can contain identifiable or sensitive information, including email addresses. To address this issue, users should upgrade Rancher Manager to versions 2.9.12, 2.10.10, 2.11.6, 2.12.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-54468.
Read more Developer Tools
In Kibana versions 7.x prior to and including 7.17.29, 8.x from 8.14.0 up to 8.18.7, 8.19.x from 8.19.0 up to 8.19.4, 9.0.x from 9.0.0 up to 9.0.7, and 9.1.x from 9.1.0 up to 9.1.4 a medium severity vulnerability CVE-2025-37728 was detected. Insufficiently protected credentials in the CrowdStrike connector can lead to CrowdStrike credentials being leaked. A malicious user can access cached credentials from a CrowdStrike connector in another space by creating and running a CrowdStrike connector in a space to which they have access. To address this issue, users should update Kibana to versions 8.18.8, 8.19.5, 9.0.8, or 9.1.5. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-37728.
Read more Data Analytics
In Kibana versions 7.x prior to and including 7.17.29, 8.x from 8.0.0 up to and including 8.18.7, 8.19.x from 8.19.0 up to and including 8.19.4, 9.0.x from 9.0.0 up to and including 9.0.7, and 9.1.x from 9.1.0 up to and including 9.1.4 a high severity vulnerability CVE-2025-25009 was detected. Improper neutralization of input during web page generation in Kibana can lead to Stored Cross-Site Scripting via case file upload. To address this issue, users should upgrade Kibana to versions 8.18.8, 8.19.5, 9.0.8, or 9.1.5. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-25009.
Read more Data Analytics
In Liferay Portal versions 7.4.3.15 through 7.4.3.111, and Liferay DXP versions 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 15 through update 92 a medium severity vulnerability CVE-2025-43822 was detected. Multiple stored cross-site scripting vulnerabilities allow remote attackers to inject arbitrary web script or HTML via a crafted payload in a Terms and Conditions Name text field, affecting Payment Terms or Delivery Term on the view order page. To address this issue, users should upgrade Liferay Portal to version 7.4.3.112, and Liferay DXP to versions 2024.Q1.1, 2023.Q4.6, or 2023.Q3.9. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43822.
Read more CMS
In Liferay Portal versions 7.4.0 through 7.4.3.111 and older unsupported versions, and Liferay DXP versions 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, and older unsupported versions a medium severity vulnerability CVE-2025-43824 was detected. The Profile widget uses a user’s name in the “Content-Disposition” header, which allows remote authenticated users to change the file extension when a vCard file is downloaded. To address this issue, users should upgrade Liferay Portal to version 7.4.3.112, and Liferay DXP to versions 2024.Q2.0, 2024.Q1.1, 2023.Q4.6, or 2023.Q3.9. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43824.
Read more CMS
In Liferay Portal versions 7.4.0 through 7.4.3.111, and Liferay DXP versions 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA a medium severity vulnerability CVE-2025-43823 was detected. Cross-site scripting in the Commerce Search Result widget allows remote attackers to inject arbitrary web script or HTML via a crafted payload in a Commerce Product’s Name text field. To address this issue, users should upgrade Liferay Portal to version 7.4.3.112, and Liferay DXP to versions 2024.Q1.1, 2023.Q4.6, or 2023.Q3.9. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43823.
Read more CMS