CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-48731 – Unauthorized Subscription Edit to Confluence Space in Mattermost Confluence Plugin
https://notcve.org/view.php?id=CVE-2025-48731
11 Aug 2025 — Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the Confluence space which allows attackers to edit a subscription for a Confluence space the user does not have access for via edit subscription endpoint. La versión <1.5.0 del complemento Mattermost Confluence no puede verificar el acceso del usuario al espacio Confluence, lo que permite a los atacantes editar una suscripción para un espacio Confluence para el que el usuario no tiene acceso a través del endpoint de edi... • https://mattermost.com/security-updates • CWE-862: Missing Authorization •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2025-44004 – Unauthenticated Channel Subscription Creation in Mattermost Confluence Plugin
https://notcve.org/view.php?id=CVE-2025-44004
11 Aug 2025 — Mattermost Confluence Plugin version <1.5.0 fails to check the authorization of the user to the Mattermost instance which allows attackers to create a channel subscription without proper authorization via API call to the create channel subscription endpoint. La versión <1.5.0 del complemento Mattermost Confluence no puede verificar la autorización del usuario en la instancia de Mattermost, lo que permite a los atacantes crear una suscripción de canal sin la autorización adecuada a través de una llamada A... • https://mattermost.com/security-updates • CWE-306: Missing Authentication for Critical Function •
CVSS: 4.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-44001 – Unauthorized Channel Subscription Read in Mattermost Confluence Plugin
https://notcve.org/view.php?id=CVE-2025-44001
11 Aug 2025 — Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the channel which allows attackers to get channel subscription details without proper access to the channel via API call to the Get Channel Subscriptions details endpoint. La versión <1.5.0 del complemento Mattermost Confluence no puede verificar el acceso del usuario al canal, lo que permite a los atacantes obtener detalles de suscripción del canal sin el acceso adecuado al canal a través de una llamada API al endpoint ... • https://mattermost.com/security-updates • CWE-862: Missing Authorization •
CVSS: 2.2EPSS: 0%CPEs: 2EXPL: 0CVE-2025-6227 – Invite token is used as part of the secure communication
https://notcve.org/view.php?id=CVE-2025-6227
18 Jul 2025 — Mattermost versions 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 fail to negotiate a new token when accepting the invite which allows a user that intercepts both invite and password to send synchronization payloads to the server that originally created the invite via the REST API. • https://mattermost.com/security-updates • CWE-522: Insufficiently Protected Credentials •
CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-6233 – Arbitrary file read by system admin via path traversal
https://notcve.org/view.php?id=CVE-2025-6233
18 Jul 2025 — Mattermost versions 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 fail to sanitize input paths of file attachments in the bulk import JSONL file, which allows a system admin to read arbitrary system files via path traversal. Las versiones de Mattermost 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 no logran depurar las rutas de entrada de los archivos adjuntos en el archivo JSONL de importación masiva, lo que permite que un administrador del si... • https://mattermost.com/security-updates • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-6226 – IDOR in CreatePost API allows for timeboxed message disclosure
https://notcve.org/view.php?id=CVE-2025-6226
18 Jul 2025 — Mattermost versions 10.5.x <= 10.5.6, 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 9.11.x <= 9.11.16 fail to verify authorization when retrieving cached posts by PendingPostID which allows an authenticated user to read posts in private channels they don't have access to via guessing the PendingPostID of recently created posts. Las versiones de Mattermost 10.5.x <= 10.5.6, 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 9.11.x <= 9.11.16 no pueden verificar la autorización al recuperar publicaciones en caché mediante... • https://mattermost.com/security-updates • CWE-306: Missing Authentication for Critical Function •
CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 0CVE-2025-47871 – Mattermost Playbooks exposes private channel metadata to unauthorized users via run metadata API
https://notcve.org/view.php?id=CVE-2025-47871
30 Jun 2025 — Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly validate channel membership when retrieving playbook run metadata, allowing authenticated users who are playbook members but not channel members to access sensitive information about linked private channels including channel name, display name, and participant count through the run metadata API endpoint. • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-46702 – Mattermost Playbooks allows privilege escalation through improper access control in playbook run participant management
https://notcve.org/view.php?id=CVE-2025-46702
30 Jun 2025 — Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly enforce channel member management permissions when adding participants to playbook runs. This allows authenticated users with member-level permissions to bypass system admin restrictions and add or remove users to/from private channels via the playbook run participants feature, even when the 'Manage Members' permission has been explicitly removed. This can lead to unauthorized acces... • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2025-3228 – Unauthorized Guest user access to Playbook
https://notcve.org/view.php?id=CVE-2025-3228
20 Jun 2025 — Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly retrieve requestorInfo from playbooks handler for guest users which allows an attacker access to the playbook run. • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2025-3227 – Unauthorized channel member management through playbook runs
https://notcve.org/view.php?id=CVE-2025-3227
20 Jun 2025 — Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly enforce channel member management permissions in playbook runs, allowing authenticated users without the 'Manage Channel Members' permission to add or remove users from public and private channels by manipulating playbook run participants when the run is linked to a channel. • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •