| CVE-2025-43923 | SQL injection | A user who has administrative privilege in Focal Point can perform SQL injection via the image parameter during a delete report image operation. | Focal Point 7.2.0 to 7.6.2 | Focal Point 7.7 | Ianis BERNARD from NATO Cyber Security Centre (NCSC) |
| CVE-2025-43924 | Cross Site Scripting (XSS) | The val parameter in SettingController and the rootserviceurl parameter in FriendsController, entered by an admin, allow stored XSS. | Focal Point 7.2.0 to 7.6.2 | Focal Point 7.7 | Ianis BERNARD from NATO Cyber Security Centre (NCSC) |
| CVE-2025-43925 | Hard-coded cryptographic key | Some information stored in the database is encrypted with a hardcoded key, making it easier to recover the cleartext data. | Focal Point 7.2.0 to 7.6.2 | Focal Point 7.7 | Ianis BERNARD from NATO Cyber Security Centre (NCSC) |