In Liferay Portal versions 7.4.0 through 7.4.3.132 and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, and 7.3 GA through update 35 a medium severity vulnerability CVE-2025-62250 was detected. This vulnerability allows remote attackers to send unauthenticated cluster messages that are treated as trusted data, potentially compromising system integrity. To address this issue, users should upgrade to Liferay DXP versions 2024.Q1.1, 2023.Q4.1, 2023.Q3.5, 7.3 update 36, or the latest master branch of Liferay Portal. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62250.
Read more CMSIn Liferay Portal versions 7.4.0 through 7.4.3.132 and Liferay DXP 2025.Q3.0 through 2025.Q3.2, 2025.Q2.0 through 2025.Q2.12, 2025.Q1.0 through 2025.Q1.17, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.20, and 2023.Q4.0 through 2023.Q4.10 a medium severity vulnerability CVE-2025-62249 was detected. This reflected XSS vulnerability allows a remote unauthenticated attacker to inject arbitrary JavaScript via the google_gadget. To address this issue, users should upgrade to Liferay DXP versions 2025.Q3.3, 2025.Q1.18, 2024.Q1.21, or the latest master branch of Liferay Portal. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62249.
Read more CMSIn Sonatype Nexus Repository 2.x versions up to and including 2.15.2 a high severity vulnerability CVE-2025-9868 was detected. This vulnerability in the Remote Browser Plugin allows unauthenticated remote attackers to exfiltrate proxy repository credentials via crafted HTTP requests. To address this issue, users should upgrade to Nexus Repository 3.x. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-9868.
Read more Developer ToolsIn Liferay Portal versions 7.3.2 through 7.4.3.111, and Liferay DXP 7.3 GA through update 35, 7.4 GA through update 92, 2023.Q3.1 through 2023.Q3.8, and 2023.Q4.0 through 2023.Q4.5 a medium severity vulnerability CVE-2025-43830 was detected. This vulnerability allows remote attackers to inject arbitrary web script or HTML via a crafted payload in a form with a rich text type field. Users should update Liferay Portal to 7.4.3.112 and Liferay DXP to 7.3 update 36, 7.4.Q1.1, 2023.Q3.9, or 2023.Q4.6. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43830.
Read more CMSIn Liferay Portal versions 7.4.3.18 through 7.4.3.111, and Liferay DXP 7.4 update 18 through update 92, 2023.Q3.1 through 2023.Q3.8, and 2023.Q4.0 through 2023.Q4.5 a medium severity vulnerability CVE-2025-43829 was detected. This vulnerability allows remote attackers to inject arbitrary web script or HTML via a crafted payload in a Commerce diagram SVG file. Users should update Liferay Portal to 7.4.3.112 and Liferay DXP to 7.3 update 36, 7.4.Q1.1, 2023.Q3.9, or 2023.Q4.6. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43829.
Read more CMSIn Mastodon versions 4.2.27 through 4.2.x, 4.3.0 through 4.3.14, and 4.4.0 through 4.4.6 a medium severity vulnerability CVE-2025-62176 was detected. The streaming server serves public timeline events to clients with valid tokens even if they lack the read:statuses scope, allowing limited access to new public posts. To address this issue, users should upgrade Mastodon to versions 4.2.27, 4.3.14, or 4.4.6 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62176.
Read more CommunicationIn Mastodon versions 4.2.27 through 4.2.x, 4.3.0 through 4.3.14, and 4.4.0 through 4.4.6 a medium severity vulnerability CVE-2025-62175 was detected. Disabling or suspending user accounts does not disconnect them from the streaming API, allowing continued access to real-time updates. To address this issue, users should upgrade Mastodon to versions 4.2.27, 4.3.14, or 4.4.6 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62175.
Read more CommunicationIn Mastodon versions 4.2.27 through 4.2.x, 4.3.0 through 4.3.14, and 4.4.0 through 4.4.6 a low severity vulnerability CVE-2025-62174 was detected. Active sessions and access tokens are not revoked when a user’s password is reset via the command-line interface, allowing continued access to the account. To address this issue, users should upgrade Mastodon to versions 4.2.27, 4.3.14, or 4.4.6 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62174.
Read more CommunicationIn Spring Framework versions 6.2.0 through 6.2.11, 6.1.0 through 6.1.23, and 5.3.0 through 5.3.45 a medium severity vulnerability CVE-2025-41254 was detected. STOMP over WebSocket applications may allow an attacker to send unauthorized messages. To address this issue, users should upgrade Spring Framework to versions 6.2.12, 6.1.24, or 5.3.46 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-41254.
Read more Application Development