7.5
CVE-2025-6709 - Pre-Authentication Denial of Service Vulnerability in MongoDB Server's OIDC Authentication
The MongoDB Server is susceptible to a denial of service vulnerability due to improper handling of specific date values in JSON input when using OIDC authentication. This can be reproduced using the mongo shell to send a malicious JSON payload leading to an invariant failure and server crash. This β¦
4.2
CVE-2025-6707 - Race condition in privilege cache invalidation cycle
Under certain conditions, an authenticated user request may execute with stale privileges following an intentional change by an authorized administrator. This issue affects MongoDB Server v5.0 version prior to 5.0.31, MongoDB Server v6.0 version prior to 6.0.24, MongoDB Server v7.0 version prior toβ¦
5
CVE-2025-6706 - Running certain aggregation operations with the SBE engine may lead to unexpected behavior on Mongoβ¦
An authenticated user may trigger a use after free that may result in MongoDB Server crash and other unexpected behavior, even if the user does not have authorization to shut down a server. The crash is triggered on affected versions by issuing an aggregation framework operation using a specific coβ¦
8.9
CVE-2025-49003 - Dataease H2 JDBC Connection Remote Code Execution
DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.11, a threat actor may take advantage of a feature in Java in which the character "Δ±" becomes "I" when converted to uppercase, and the character "ΕΏ" becomes "S" when converted to uppercase. A threat β¦
5.4
CVE-2025-6677 - Paragraphs table - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-084
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Paragraphs table allows Cross-Site Scripting (XSS).This issue affects Paragraphs table: from 2.0.0 before 2.0.5.
5.4
CVE-2025-6676 - Simple XML sitemap - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-083
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Simple XML sitemap allows Cross-Site Scripting (XSS).This issue affects Simple XML sitemap: from 0.0.0 before 4.2.2.
4.8
CVE-2025-6675 - Enterprise MFA - TFA for Drupal - Critical - Access bypass - SA-CONTRIB-2025-082
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Authentication Bypass.This issue affects Enterprise MFA - TFA for Drupal: from 0.0.0 before 4.8.0, from 5.2.0 before 5.2.1, from 0.0.0 before 5.0.*, from 0.0.0 before 5.1.*.
6.1
CVE-2025-6674 - CKEditor5 Youtube - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-081
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal CKEditor5 Youtube allows Cross-Site Scripting (XSS).This issue affects CKEditor5 Youtube: from 0.0.0 before 1.0.3.
4.3
CVE-2025-5682 - Klaro Cookie & Consent Management - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-080
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Klaro Cookie & Consent Management allows Cross-Site Scripting (XSS).This issue affects Klaro Cookie & Consent Management: from 0.0.0 before 3.0.7.
8.8
CVE-2025-48921 - Open Social - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-079
Cross-Site Request Forgery (CSRF) vulnerability in Drupal Open Social allows Cross Site Request Forgery.This issue affects Open Social: from 0.0.0 before 12.3.14, from 12.4.0 before 12.4.13.