In Discourse versions up to and including 3.5.0 a medium severity vulnerability CVE-2025-59337 was detected. This issue allowed malicious meta-commands to be embedded in a backup dump and executed during restore. In multisite deployments, this could enable an admin of one site to access data or credentials from other sites. To address this issue, users should upgrade Discourse to version 3.5.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-59337.
Read more Communication
In Discourse versions 3.5.0 and below a medium severity vulnerability CVE-2025-58055 was detected. The AI suggestion endpoints for topic “Title,” “Category,” and “Tags” allowed authenticated users to extract information about topics they weren’t authorized to access by modifying the topic_id parameter in API requests. To address this issue, users should upgrade Discourse to version 3.5.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-58055.
Read more Communication
In Discourse versions 3.5.0 and below a medium severity vulnerability CVE-2025-58054 was detected. The platform is vulnerable to Cross-Site Scripting attacks through parsing and rendering of chat channel titles and chat thread titles via the quote message functionality when using the rich text editor. To address this issue, users should upgrade Discourse to version 3.5.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-58054.
Read more Communication
In Django versions 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7 a low severity vulnerability CVE-2025-59682 was detected. The django.utils.archive.extract() function, used by the “startapp –template” and “startproject –template” commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory. To address this issue, users should upgrade Django to versions 4.2.25, 5.1.13 5.2.7 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-59682.
Read more Application Development
In Django versions 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7 a high severity vulnerability CVE-2025-59681 was detected. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods on MySQL and MariaDB. To address this issue, users should upgrade Django to versions 4.2.25, 5.1.13, 5.2.7 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-59681.
Read more Application Development
In Liferay Portal versions 7.4.3.50 through 7.4.3.111 and Liferay DXP versions 2023.Q4.0 through 2023.Q4.4, 2023.Q3.1 through 2023.Q3.7, and 7.4 Update 50 through Update 92 a medium severity vulnerability CVE-2025-43811 was detected. This stored cross-site scripting vulnerability in the related asset selector allows remote authenticated attackers to inject arbitrary web script or HTML via a crafted payload placed in an asset author’s First Name, Middle Name, or Last Name fields. To address this issue, users should upgrade Liferay Portal to version7.4.3.112 and Liferay DXP to versions 2024.Q1.1, 2023.Q4.5, 2023.Q3.8 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43811.
Read more CMS
In Liferay Portal versions 7.4.3.4 through 7.4.3.111 and Liferay DXP versions 2023.Q4.0 through 2023.Q4.4, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through Update 92 a medium severity vulnerability CVE-2025-43812 was detected. This cross-site scripting vulnerability in web content templates allows remote authenticated users to inject arbitrary web script or HTML via a crafted payload placed in a web content structure’s Name field. To address this issue, users should upgrade Liferay Portal to version 7.4.3.112 and Liferay DXP to versions 2024.Q1.1, 2023.Q4.5, 2023.Q3.9 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43812.
Read more CMS
In Argo CD versions 2.9.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.6, and 3.0.17 a high severity vulnerability CVE-2025-59538 was detected. This vulnerability allows unauthenticated attackers to cause a denial-of-service (DoS) by sending a malformed Azure DevOps git.push webhook to the /api/webhook endpoint when webhook.azuredevops.username and webhook.azuredevops.password are not set, causing the server process to crash due to an index-out-of-range panic on an empty JSON array. To address this issue, users should upgrade Argo CD to versions 2.14.20, 3.2.0-rc2, 3.1.8 or 3.0.19. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-59538.
Read more Developer Tools
In Argo CD versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 a high severity vulnerability CVE-2025-59537 was detected. This vulnerability allows unauthenticated attackers to cause a denial-of-service (DoS) condition by sending a malformed Gogs webhook payload to the `/api/webhook` endpoint when `webhook.gogs.secret` is not set, causing the Argo CD server process to crash if the `commits[].repo` field in the JSON payload is missing or null. To address this issue, users should upgrade Argo CD to versions 2.14.20, 3.2.0-rc2, 3.1.8 or 3.0.19. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-59537.
Read more Developer Tools