CVE-2025-27094

Name of the Vulnerable Software and Affected Versions Tuleap Community Edition versions 16.4.99.1739806825 through 16.4.99.1739877910 Tuleap Enterprise Edition versions prior to 16.3-9 Tuleap Enterprise Edition versions prior to 16.4-4

Description A malicious user with access to a tracker could force-reset certain field configurations, leading to potential information loss. The display time attribute for the date field, the size attribute for the multiselectbox field, the default value, number of rows, and columns attributes for the text field, and the default value, size, and max characters attributes for the string field configurations are lost when added as criteria in a saved report. This issue could be exploited to prevent access to tracker data by triggering a crash.

Recommendations For Tuleap Community Edition versions 16.4.99.1739806825 through 16.4.99.1739877910, update to version 16.4.99.1739877910 or later. For Tuleap Enterprise Edition versions prior to 16.3-9, update to version 16.3-9 or later. For Tuleap Enterprise Edition versions prior to 16.4-4, update to version 16.4-4 or later. As a temporary workaround, consider restricting access to the tracker to minimize the risk of exploitation.