| Date | 2026-03-04 |
| Severity | reported "high", BlueSpice assessment: low |
| Affected | Services in LTS version < 5.1.5
BlueSpice PRO/FARM < 5.1.4 BlueSpice PRO/FARM < 5.2.0 |
| Fixed in | BlueSpice PRO/FARM 5.1.4
BlueSpice PRO/FARM 5.2.1 |
| CVE |
Problem
| CVE | Component | Type of vulnerability | BlueSpice 5 | BlueSpice 4 |
|---|---|---|---|---|
| CVE-2025-15467 | Container bluespice/database
|
Buffer Overflow | affected | affected |
| CVE-2026-24732 | Extension:NSFileRepo | Information Disclosure | affected | not affected |
Impact assessment
| CVE | Assessment | Mitigation without update |
|---|---|---|
| CVE-2025-15467 | Low, as by default configuration of bluespice-deploy, this is not exploitable
|
Make sure the service has no access to the internet. This is the default configuration of BlueSpice setups |
| CVE-2026-24732 | Low, as by default configuration of BlueSpice MediaWiki, this is not exploitable. The affected type of configuration is considered an edge-case. | Make sure $wgGroupPermissions['*']['read'] is set to false in the LocalSettings.php.
|
Solution
Update to BlueSpice 5.1.4+ or 5.2.1+
