In Mattermost versions 10.5.x through 10.5.10 and 10.11.x through 10.11.2 a medium severity vulnerability CVE-2025-41443 was detected. Improper validation of guest user permissions allows attackers to discover active public channels and their metadata via the /api/v4/teams/{team_id}/channels/ids endpoint. To address this issue, users should upgrade to Mattermost versions 10.5.11, 10.11.3, or 10.12.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-41443.
Read more CommunicationIn Mattermost versions 10.5.x through 10.5.10, 10.10.x through 10.10.2, and 10.11.x through 10.11.2 a medium severity vulnerability CVE-2025-41410 was detected. Improper validation of email ownership during the Slack import process allows attackers to create verified user accounts with arbitrary email domains, bypassing email-based team access restrictions. To address this issue, users should upgrade to Mattermost versions 10.5.11, 10.10.3, 10.11.3, or 10.12.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-41410.
Read more CommunicationIn Mattermost versions 10.5.x through 10.5.10, 10.10.x through 10.10.2, and 10.11.x through 10.11.1 a high severity vulnerability CVE-2025-58075 was detected. Improper validation of the SAML RelayState parameter allows attackers to join any team on a Mattermost server, bypassing invite restrictions. To address this issue, users should upgrade to Mattermost versions 10.5.11, 10.10.3, 10.11.2, or 10.12.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-58075.
Read more CommunicationIn Liferay Portal versions 7.4.0 through 7.4.3.111 and older unsupported versions, and Liferay DXP versions 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, and older unsupported versions a medium severity vulnerability CVE-2025-62246 was detected. Multiple stored cross-site scripting (XSS) vulnerabilities allow remote authenticated users to inject arbitrary web script or HTML via crafted payloads in a user’s first, middle, or last name fields. The injected payloads may execute in multiple components, including page comments, blog entries, document and media comments, message board messages, wiki page comments, and other widgets or apps supporting mentions. To address this issue, users should upgrade to Liferay Portal 7.4.3.112, Liferay DXP 2024.Q1.1, 2023.Q4.6, or 2023.Q3.9. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62246.
Read more CMSIn Liferay Portal versions 7.3.1 through 7.4.3.111 and Liferay DXP versions 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, and 7.3 GA through update 36 a medium severity vulnerability CVE-2025-62244 was detected. An insecure direct object reference (IDOR) vulnerability in the Publications module allows remote authenticated users to access and view the edit page of a publication by manipulating the _com_liferay_change_tracking_web_portlet_PublicationsPortlet_ctCollectionId parameter. To address this issue, users should upgrade to Liferay Portal 7.4.3.112, Liferay DXP 2024.Q1.1, 2023.Q4.6, or 2023.Q3.9. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62244.
Read more CMSIn Liferay Portal versions 7.4.1 through 7.4.3.112 and Liferay DXP versions 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92 a medium severity vulnerability CVE-2025-62243 was detected. Insecure direct object reference (IDOR) flaws in the Publications module allow remote authenticated users to view publication comments via the _com_liferay_change_tracking_web_portlet_PublicationsPortlet_value parameter and edit them through crafted URLs due to missing permission checks. To address this issue, users should upgrade to Liferay Portal 7.4.3.113, Liferay DXP 2024.Q2.0, 2024.Q1.1, 2023.Q4.6, or 2023.Q3.9. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62243.
Read more CMSIn Liferay Portal versions 7.4.3.4 through 7.4.3.111 and Liferay DXP versions 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92 a medium severity vulnerability CVE-2025-62242 was detected. An insecure direct object reference (IDOR) flaw in the Account module allows authenticated users from one account to access address information belonging to a different account via the _com_liferay_account_admin_web_internal_portlet_AccountEntriesAdminPortlet_addressId parameter. To address this issue, users should upgrade to Liferay Portal 7.4.3.113, Liferay DXP 2024.Q1.1, or 2023.Q4.6. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62242.
Read more CMSIn SonarQube versions prior to 25.6, 2025.3 Commercial, and 2025.1.3 LTA a medium severity vulnerability CVE-2025-62292 was detected. Authenticated low-privileged users can query the /api/v2/users-management/users endpoint and access user fields intended for administrators only, including the email addresses of other accounts. To address this issue, users should upgrade SonarQube to versions 25.6, 2025.3 Commercial, 2025.1.3 LTA or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62292.
Read more Developer ToolsIn Mattermost Desktop App versions up to 5.13.0 a medium severity vulnerability CVE-2025-58084 was detected. The application fails to validate URLs external to the configured Mattermost servers, allowing an attacker on a configured server to crash the user’s application by sending a malformed URL. To address this issue, users should upgrade the Mattermost Desktop App to version 5.13.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-58084.
Read more Communication