In Argo CD versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 a high severity vulnerability CVE-2025-59531 was detected. This vulnerability allows unauthenticated attackers to cause a denial-of-service (DoS) condition by sending a malformed Bitbucket Server webhook payload to the `/api/webhook` endpoint when `webhook.bitbucketserver.secret` is not configured, causing the Argo CD server process to crash and potentially triggering a full API outage. To address this issue, users should upgrade Argo CD to versions 2.14.20, 3.2.0-rc2, 3.1.8 or 3.0.19. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-59531.
Read more Developer Tools
In Liferay Portal versions 7.4.3.102 through 7.4.3.110 and Liferay DXP versions 2023.Q4.0 through 2023.Q4.2 and 2023.Q3.5 a medium severity vulnerability CVE-2025-43815 was detected. This reflected cross-site scripting (XSS) vulnerability occurs on the page configuration page, where the com_liferay_layout_admin_web_portlet_GroupPagesPortlet_backURLTitle parameter can be exploited by remote attackers to inject arbitrary web script or HTML. To address this issue, users should upgrade Liferay Portal to version 7.4.3.111 and Liferay DXP to versions 2024.Q1.1, 2023.Q4.3, 2023.Q3.6 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43815.
Read more CMS
In Liferay Portal versions 7.4.3.35 through 7.4.3.110 and Liferay DXP versions 2023.Q4.0 through 2023.Q4.4, 2023.Q3.1 through 2023.Q3.6, 7.4 Update 35 through Update 92, and 7.3 Update 25 through Update 36 a medium severity vulnerability CVE-2025-43820 was detected. This issue affects the Calendar widget, where crafted payloads injected into a user’s First Name, Middle Name, or Last Name fields can allow attackers to insert arbitrary script or HTML when users are invited to an event. To address this vulnerability, users should upgrade Liferay Portal to versions 7.4.3.111 and Liferay DXP to versions 2024.Q1.1, 2023.Q4.5, 2023.Q3.7 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43820.
Read more CMS
In Liferay Portal versions 7.4.3.74 through 7.4.3.111 and Liferay DXP versions 2023.Q4.0 through 2023.Q4.6, 2023.Q3.1 through 2023.Q3.8, and 7.4 Update 74 through Update 92 a medium severity vulnerability CVE-2025-43817 was detected. This issue consists of multiple reflected script injection vulnerabilities, where remote attackers can inject arbitrary script or HTML through the redirect parameter in Announcements or Alerts. To address this vulnerability, users should upgrade Liferay Portal to version 7.4.3.112 and Liferay DXP to versions 2023.Q3.9, 2023.Q4.7, 2024.Q1.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43817.
Read more CMS
In Liferay Portal versions 7.4.0 through 7.4.3.107, 7.3.0 through 7.3.7, and Liferay DXP versions 2023.Q4.0 through 2023.Q4.4, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through Update 92, 7.3 GA through Update 35, and older unsupported releases a medium severity vulnerability CVE-2025-43813 was detected. This path traversal and denial-of-service issue in the ComboServlet allows remote attackers to access arbitrary CSS and JavaScript files and to repeatedly load them via crafted query strings, potentially causing resource exhaustion. To address this vulnerability, users should upgrade Liferay Portal to versions 7.4.3.108 and Liferay DXP to versions 2024.Q1.1, 2023.Q4.5, 2023.Q3.9, 7.3 U36 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43813.
Read more CMS
In Liferay Portal versions 7.2.0 through 7.4.3.112 and Liferay DXP versions 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, 7.4, and older unsupported versions a medium severity vulnerability CVE-2025-43814 was detected. This issue occurs because audit events record a user’s password reminder answer, which can allow remote authenticated users to obtain this sensitive information through the audit logs. To address this vulnerability, users should upgrade Liferay Portal to version 7.4.3.113 and Liferay DXP to versions 2024.Q2.0, 2024.Q1.1, 2023.Q4.9 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43814.
Read more CMS
In Kibana versions from 8.7.0 up to 8.15.0 a medium severity vulnerability CVE-2024-43710 was detected. This vulnerability allows a user with read access to Fleet to exploit the /api/fleet/health_check API to send requests to internal HTTPS endpoints that return JSON, resulting in a server-side request forgery. To address this issue, users should upgrade Kibana to version 8.15.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-43710.
Read more Data Analytics
In Kibana versions up to and including 7.17.22 and 8.0.0 up to and including 8.14.3 a medium severity vulnerability CVE-2024-43708 was detected. This vulnerability allows an authenticated user with read access to any feature in Kibana to send a specially crafted payload to certain UI inputs, causing the server to crash due to improper resource allocation without limits or throttling. To address this issue, users should upgrade Kibana to versions 7.17.23, 8.15.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-43708.
Read more Data Analytics
In Kibana versions from 8.0.0 up to 8.15.0 a high severity vulnerability CVE-2024-43707 was detected. This issue allows a user without access to Fleet to view Elastic Agent policies, which could contain sensitive information depending on the enabled integrations and their versions. To address this vulnerability, users should upgrade Kibana to version 8.15.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-43707.
Read more Data Analytics