Security Vulnerabilities - CVEs Published In October 2025
An example dag `example_dag_decorator` had non-validated parameter that allowed the UI user to redirect the example to a malicious server and execute code on worker. This however required that the example dags are enabled in production (not default) or the example dag code copied to build your own similar dag. If you used the `example_dag_decorator` please review it and apply the changes implemented in Airflow 3.0.5 accordingly.
CVSS Score
4.6
EPSS Score
0.001
Published
2025-10-30
API users via `/api/v2/dagReports` could perform Dag code execution in the context of the api-server if the api-server was deployed in the environment where Dag files were available.
CVSS Score
5.4
EPSS Score
0.002
Published
2025-10-30
User with CREATE and no UPDATE privilege for Pools, Connections, Variables could update existing records via bulk create API with overwrite action.
CVSS Score
4.6
EPSS Score
0.001
Published
2025-10-30
Missing Authorization vulnerability in Drupal Acquia DAM allows Forceful Browsing.This issue affects Acquia DAM: from 0.0.0 before 1.1.5.
CVSS Score
7.5
EPSS Score
0.001
Published
2025-10-30
Improper Restriction of Excessive Authentication Attempts vulnerability in Drupal Access code allows Brute Force.This issue affects Access code: from 0.0.0 before 2.0.5.
CVSS Score
6.3
EPSS Score
0.001
Published
2025-10-30
Improper Validation of Consistency within Input vulnerability in Drupal Reverse Proxy Header allows Manipulating User-Controlled Variables.This issue affects Reverse Proxy Header: from 0.0.0 before 1.1.2.
CVSS Score
5.3
EPSS Score
0.001
Published
2025-10-30
Cross-Site Request Forgery (CSRF) vulnerability in Drupal Currency allows Cross Site Request Forgery.This issue affects Currency: from 0.0.0 before 3.5.0.
CVSS Score
4.3
EPSS Score
0.0
Published
2025-10-30
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Umami Analytics allows Cross-Site Scripting (XSS).This issue affects Umami Analytics: from 0.0.0 before 1.0.1.
CVSS Score
3.8
EPSS Score
0.0
Published
2025-10-30
Incorrect Authorization vulnerability in Drupal CivicTheme Design System allows Forceful Browsing.This issue affects CivicTheme Design System: from 0.0.0 before 1.12.0.
CVSS Score
7.5
EPSS Score
0.001
Published
2025-10-30
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal CivicTheme Design System allows Cross-Site Scripting (XSS).This issue affects CivicTheme Design System: from 0.0.0 before 1.12.0.
CVSS Score
6.1
EPSS Score
0.0
Published
2025-10-30