Overview
MongoDB has issued an urgent advisory for a high-impact severity, pre-authentication information disclosure vulnerability in MongoDB Server. MongoDB is a database system used by organisations to store and retrieve application data (often for websites, apps, and services). The flaw may allow a remote, unauthenticated attacker to potentially leak sensitive in-memory data (e.g. credentials or tokens). Because exploitation is possible without authentication or user interaction, internet-exposed MongoDB instances are at increased risk.
- CVE-2025-14847: MongoDB Server Uninitialised Memory Disclosure Vulnerability (CVSSv4 8.7)
Affected versions: v7.0: all versions prior to 7.0.28; v8.0: all versions prior to 8.0.17 ; v8.2: all versions prior to 8.2.3; v6.0: all versions prior to 6.0.27; v5.0: all versions prior to 5.0.32; v4.4: all versions prior to 4.4.30; v4.2 / v4.0 / v3.6: all versions
MFiles is a document and information management platform used to store, organise, and manage business documents and workflows. It has published updates to remediate a high-severity information disclosure vulnerability in M-Files Web (part of M-Files Server). An authenticated attacker may be able to capture session tokens of other active users under certain conditions, which could then be reused to impersonate victims and access data or perform actions with their permissions.
- CVE-2025-13008: M-Files Web Session Token Disclosure Vulnerability (CVSSv4 8.6)
Affected versions (M-Files Server): Versions before 25.12.15491.7; Versions before 25.8 LTS SR3 (25.8.15085.18); Versions before 25.2 LTS SR3 (25.2.14524.14); Versions before 24.8 LTS SR5 (24.8.13981.17)
n8n has released fixes for a critical remote code execution vulnerability affecting its workflow expression evaluation system. n8n is a workflow automation platform that helps teams connect apps and automate tasks/processes. Under certain conditions, expressions supplied by an authenticated user may allow execution of arbitrary code, potentially leading to full instance compromise
- CVE-2025-68613: n8n Workflow Expression Evaluation Remote Code Execution Vulnerability (CVSSv3 9.9). Affected versions are >= 0.211.0 and < 1.120.4, < 1.121.1, and < 1.122.0.
Themify has released a vulnerability in its Shopo theme where insufficient file validation enables attackers to upload executable scripts. This can result in remote code execution and complete site takeover. Themify Shopo is a WordPress theme designed for e-commerce websites.
- CVE-2025-31048: Arbitrary File Upload Vulnerability (CVSSv3 9.9). Affected versions: Shopo ≤ 1.1.4
Mitsubishi Electric has released a vulnerability in its air conditioning controllers caused by missing authentication checks for critical functions. Attackers can remotely issue commands, alter settings, or upload malicious firmware, posing serious operational and safety risks. These controllers manage and monitor air conditioning systems in commercial and industrial environments.
- CVE-2025-3699: Missing Authentication for Critical Function (CVSSv3 9.8). Affected versions: All versions of G50, G50W, G50A, GB50, GB50A, GB24A, G150AD, AG150AA/J, GB50AD, GB50ADAA/J, EB50GUA/J, AE200J/A/E, AE50J/A/E, EW50J/A/E, TE200A, TE50A, TW50A, CMSRMDJ
Recommended Action
Organisations are encouraged to review the appropriate security advisory pages and apply the updates:
MongoDB – MongoDB Jira
MFiles – M-Files Product Center
n8n – GitHub
Themify - Arbitrary File Upload in WordPress Shopo Theme - Patchstack
Mitsubishi Electric - Mitsubishi Electric Air Conditioning Systems (Update B) | CISA
If you have any concerns, or have been affected by a cyber-related issue, report it to us by submitting a Cyber Concerns Online Reporting Form.