In Spring Framework versions 6.2.0 through 6.2.11, 6.1.0 through 6.1.23, and 5.3.0 through 5.3.45 a medium severity vulnerability CVE-2025-41254 was detected. STOMP over WebSocket applications may allow an attacker to send unauthorized messages. To address this issue, users should upgrade Spring Framework to versions 6.2.12, 6.1.24, or 5.3.46 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-41254.
Read more Application DevelopmentIn Strapi versions prior to 5.20.0 a medium severity vulnerability CVE-2025-53092 was detected. Default installations of Strapi reflect the value of the Origin header back in the Access-Control-Allow-Origin response header without proper validation or whitelisting. This allows an attacker-controlled site to send credentialed requests to the Strapi backend, potentially exposing sensitive data. To address this issue, users should upgrade Strapi to version 5.20.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-53092.
Read more Application DevelopmentIn Strapi versions prior to 5.10.3 a medium severity vulnerability CVE-2025-25298 was detected. The @strapi/core package does not enforce a maximum password length when using bcryptjs for password hashing. Passwords longer than 72 bytes are silently truncated, reducing effective entropy and potentially misleading users about password strength. To address this issue, users should upgrade Strapi to version 5.10.3 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-25298.
Read more Application DevelopmentIn Strapi versions prior to 5.24.1 a medium severity vulnerability CVE-2025-3930 was detected. JWT tokens are not invalidated after logout or account deactivation, allowing an attacker who has stolen or intercepted a token to reuse it until its expiration. The existence of the /admin/renew-token endpoint allows near-expiration tokens to be renewed indefinitely, increasing the potential impact. To address this issue, users should upgrade Strapi to version 5.24.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3930.
Read more Application DevelopmentIn Mattermost versions 10.5.x through 10.5.10 and 10.11.x through 10.11.2 a low severity vulnerability CVE-2025-10545 was detected. Improper validation of guest user permissions allows attackers to add any team members to private channels via the /api/v4/channels/{channel_id}/members endpoint. To address this issue, users should upgrade to Mattermost versions 10.5.11, 10.11.3, or 10.12.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-10545.
Read more CommunicationIn Apache Spark versions before 3.4.4, 3.5.2, and 4.0.0 a medium severity vulnerability CVE-2025-55039 was detected. When spark.network.crypto.enabled is true but spark.network.crypto.cipher is not explicitly configured, Spark defaults to AES in CTR mode (AES/CTR/NoPadding), which provides encryption without authentication. This allows a man-in-the-middle attacker to modify encrypted RPC traffic undetected, potentially compromising heartbeat messages or application data and affecting the integrity of Spark workflows. To address this issue, users should upgrade Apache Spark to 3.4.4, 3.5.2, or 4.0.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-55039.
Read more Data AnalyticsIn Mattermost versions 10.5.x through 10.5.10, 10.10.x through 10.10.2, and 10.11.x through 10.11.1 a high severity vulnerability CVE-2025-58073 was detected. Improper validation of the OAuth state parameter allows attackers to join any team on a Mattermost server, bypassing invite restrictions. To address this issue, users should upgrade to Mattermost versions 10.5.11, 10.10.3, 10.11.2, or 10.12.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-58073.
Read more CommunicationIn Mattermost Desktop App versions up to 5.13.0 a medium severity vulnerability CVE-2025-55035 was detected. Improper handling of modal dialogs for servers using basic authentication allows an attacker to deny access to the Desktop App. By tricking a user into configuring a malicious server, a modal popup can be triggered that cannot be closed, effectively causing a denial of service. To address this issue, users should upgrade to Mattermost Desktop App version 5.13.1.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-55035.
Read more CommunicationIn Mattermost versions 10.5.x through 10.5.10 and 10.11.x through 10.11.2 a low severity vulnerability CVE-2025-54499 was detected. Improper handling of sensitive string comparisons without constant-time enforcement allows attackers to exploit timing differences to perform byte-by-byte brute force attacks on Cloud API keys and OAuth client secrets. To address this issue, users should upgrade to Mattermost versions 10.5.11, 10.11.3, or 10.12.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-54499.
Read more Communication