Unknown · Tuleap Enterprise Edition · CVE-2025-27094
**Name of the Vulnerable Software and Affected Versions**
Tuleap Community Edition versions 16.4.99.1739806825 through 16.4.99.1739877910
Tuleap Enterprise Edition versions prior to 16.3-9
Tuleap Enterprise Edition versions prior to 16.4-4
**Description**
A malicious user with access to a tracker could force-reset certain field configurations, leading to potential information loss. The display time attribute for the `date` field, the size attribute for the `multiselectbox` field, the default value, number of rows, and columns attributes for the `text` field, and the default value, size, and max characters attributes for the `string` field configurations are lost when added as criteria in a saved report. This issue could be exploited to prevent access to tracker data by triggering a crash.
**Recommendations**
For Tuleap Community Edition versions 16.4.99.1739806825 through 16.4.99.1739877910, update to version 16.4.99.1739877910 or later.
For Tuleap Enterprise Edition versions prior to 16.3-9, update to version 16.3-9 or later.
For Tuleap Enterprise Edition versions prior to 16.4-4, update to version 16.4-4 or later.
As a temporary workaround, consider restricting access to the tracker to minimize the risk of exploitation.