Critical Apache Roller vulnerability (CVSS 10.0) enables unauthorized session persistence

A critical security vulnerability has been disclosed in the Apache Roller open-source, Java-based blogging server software that could allow malicious actors to retain unauthorized access even after a password change.

The flaw, assigned the CVE identifier CVE-2025-24859, carries a CVSS score of 10.0, indicating maximum severity. It affects all versions of Roller up to and including 6.1.4.

Read more at The Hacker News