mendix · MarkvanMents · Jul 8, 2025 · Jul 4, 2025 · Jul 7, 2025
diff --git a/content/en/docs/releasenotes/security-advisories/_index.md b/content/en/docs/releasenotes/security-advisories/_index.md
@@ -20,6 +20,7 @@ Siemens publishes their common vulnerabilities and exposures (CVE) on the second
 
 | CVE ID | CVSS v3.1 Base Score | Siemens Security Advisory (SSA) Description | Notes |
 | --- | --- | ---  | --- |
+| <a id="40592">CVE-2025-40592 | 6.1 | [Zip Path Traversal Vulnerability in Mendix Studio Pro's Module Installation Process](https://cert-portal.siemens.com/productcert/html/ssa-627195.html) | See the SSA description for remediation details. |
 | <a id="40571">CVE-2025-40571 | 2.2 | [Incorrect Privilege Assignment Vulnerability in Mendix OIDC SSO Module](https://cert-portal.siemens.com/productcert/html/ssa-726617.html) | See the SSA description for remediation details. |
 | <a id="30280">CVE-2025-30280 | 5.3 | [Entity Enumeration Vulnerability in Mendix Runtime](https://cert-portal.siemens.com/productcert/html/ssa-874353.html) | See the SSA description for remediation details. |
 | <a id="50313">CVE-2024-50313 | 5.3 | [Race Condition Vulnerability in Basic Authentication Implementation of Mendix Runtime](https://cert-portal.siemens.com/productcert/html/ssa-914892.html) | See the SSA description for remediation details. |

diff --git a/content/en/docs/releasenotes/studio-pro/10/10.12.md b/content/en/docs/releasenotes/studio-pro/10/10.12.md
@@ -25,6 +25,7 @@ This is the [MTS](/releasenotes/studio-pro/lts-mts/#mts) version 10 release for
 
 ### Fixes
 
+* We fixed a security issue related to importing modules into Studio Pro. (6.1 – CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N – for more information see [Security Advisories](/releasenotes/security-advisories/#40592))
 * We fixed an issue where Consumed Web Service caused a validation failure at runtime for WSDL files imported locally. (Ticket 146066)
 * We fixed an issue where fields that could not be unchecked while Export mapping an XML schema or Consumed Web Service were not checked and expanded by default when selecting the document schema source for the first time. (Ticket 232274)
 * We fixed an issue where disabling the **Multiple sessions per user** setting incorrectly killed all existing user sessions and deleted all associated tokens, including the currently valid one. (Ticket 238657)

diff --git a/content/en/docs/releasenotes/studio-pro/10/10.18.md b/content/en/docs/releasenotes/studio-pro/10/10.18.md
@@ -61,6 +61,7 @@ This is the [MTS](/releasenotes/studio-pro/lts-mts/#mts) version 10 release for
 
 ### Fixes
 
+* We fixed a security issue related to importing modules into Studio Pro. (6.1 – CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N – for more information see [Security Advisories](/releasenotes/security-advisories/#40592))
 * We fixed an issue where the date format changed from 'dd-mm-yyyy' to 'dd-mm-y' when upgrading to Java 21. (Ticket 234598)
 * We fixed an issue where disabling the **Multiple sessions per user** setting incorrectly killed all existing user sessions and deleted all associated tokens, including the currently valid one. (Ticket 238657)
 * We fixed an issue where the `Substract`, `Union` and `Intersect` list operations did not always return a list with unique values when used in a nanoflow. (Ticket 240695)

diff --git a/content/en/docs/releasenotes/studio-pro/10/10.23.md b/content/en/docs/releasenotes/studio-pro/10/10.23.md
@@ -39,6 +39,7 @@ weight: 77
 
 ### Fixes
 
+* We fixed a security issue related to importing modules into Studio Pro. (6.1 – CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N – for more information see [Security Advisories](/releasenotes/security-advisories/#40592))
 * In the logic editors, we fixed an issue where a warning was shown for microflows being inaccessible even though they were used in the application. (Tickets 184859, 186059, 215091, 216988)
 * We fixed an issue where having a disabled and detached activity in a microflow caused the microflow to not execute the main flow. (Ticket 243133)
 * We fixed an issue with microflow parameter mappings that caused an error pop-up window. (Ticket 244852)

diff --git a/content/en/docs/releasenotes/studio-pro/10/10.6.md b/content/en/docs/releasenotes/studio-pro/10/10.6.md
@@ -23,6 +23,7 @@ This is the [MTS](/releasenotes/studio-pro/lts-mts/#mts) version 10 release for
 
 ### Fixes
 
+* We fixed a security issue related to importing modules into Studio Pro. (6.1 – CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N – for more information see [Security Advisories](/releasenotes/security-advisories/#40592))
 * We fixed the behavior of the `urlEncode` and `urlDecode` functions in the client to align with the runtime. This means that spaces are now correctly encoded as `%20` instead of `+`. `urlDecode` still supports decoding strings containing `+` to ensure backwards compatibility with strings encoded in previous versions. (Ticket 245510)
 * We fixed an issue in the domain model editor, where an unexpected exception closed Studio Pro instead of showing an exception in a dialog.
 * We fixed an issue where Studio Pro would showed an exception while checking the consistency of external attributes, associations, and enumerations.

diff --git a/content/en/docs/releasenotes/studio-pro/11/11.0.md b/content/en/docs/releasenotes/studio-pro/11/11.0.md
@@ -131,6 +131,7 @@ For details on upgrading to Studio Pro 11, see [Upgrading from Mendix Studio Pro
 
 ### Fixes
 
+* We fixed a security issue related to importing modules into Studio Pro. (6.1 – CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N – for more information see [Security Advisories](/releasenotes/security-advisories/#40592))
 * We fixed an issue where Consumed Web Service caused a validation failure at runtime for WSDL files imported locally. (Ticket 146066)
 * In the logic editors, we fixed an issue where a warning was shown for microflows being inaccessible even though they were used in the application. (Tickets 184859, 186059, 215091, 216988)
 * We reapplied a fix for an issue affecting listening between widgets. (Ticket 206642)

diff --git a/content/en/docs/releasenotes/studio-pro/8/8.18.md b/content/en/docs/releasenotes/studio-pro/8/8.18.md
@@ -22,8 +22,10 @@ This is the [LTS](/releasenotes/studio-pro/lts-mts/#lts) version 8 release for a
 
 ### Fixes
 
+* We fixed a security issue related to importing modules into Studio Pro. (6.1 – CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N – for more information see [Security Advisories](/releasenotes/security-advisories/#40592))
 * We fixed an issue where Consumed Web Service caused a validation failure at runtime for WSDL files imported locally. (Ticket 146066)
 
+
 ## 8.18.34 {#81834}
 
 **Release date: April 24, 2025**

diff --git a/content/en/docs/releasenotes/studio-pro/9/9.24.md b/content/en/docs/releasenotes/studio-pro/9/9.24.md
@@ -53,6 +53,7 @@ This is the [LTS](/releasenotes/studio-pro/lts-mts/#lts) version 9 release for a
 
 ### Fixes
 
+* We fixed a security issue related to importing modules into Studio Pro. (6.1 – CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N – for more information see [Security Advisories](/releasenotes/security-advisories/#40592))
 * We fixed an issue where Consumed Web Service caused validation failure in runtime for WSDL files imported locally. (Ticket 146066)
 * In the logic editors, we fixed an issue where a warning was shown for microflows being inaccessible even though they were used in the application. (Tickets 184859, 186059, 215091, 216988)
 * We fixed an issue where some task queue tasks remained in the Running state when a clustered application was restarted while optimistic locking was also enabled. (Ticket 239838)