CVSS: 9.9EPSS: 3%CPEs: 4EXPL: 1CVE-2025-25279 – Arbitrary file read in Mattermost Boards via import & export board archive
https://notcve.org/view.php?id=CVE-2025-25279
24 Feb 2025 — Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to properly validate board blocks when importing boards which allows an attacker could read any arbitrary file on the system via importing and exporting a specially crafted import archive in Boards. • https://github.com/numanturle/CVE-2025-25279 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 3.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-1412 – Session Persistence After User-to-Bot Conversion
https://notcve.org/view.php?id=CVE-2025-1412
24 Feb 2025 — Mattermost versions 9.11.x <= 9.11.6, 10.4.x <= 10.4.1 fail to invalidate all active sessions when converting a user to a bot, with allows the converted user to escalate their privileges depending on the permissions granted to the bot. • https://mattermost.com/security-updates • CWE-384: Session Fixation •
CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 0CVE-2025-24526 – Channel export permitted on archived channel when viewing archived channels is disabled
https://notcve.org/view.php?id=CVE-2025-24526
24 Feb 2025 — Mattermost versions 10.1.x <= 10.1.3, 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to restrict channel export of archived channels when the "Allow users to view archived channels" is disabled which allows a user to export channel contents when they shouldn't have access to it Mattermost versions 10.1.x <= 10.1.3, 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to restrict channel export of archived channels when the "Allow users to view archived cha... • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 3.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-0503 – Leaked User IDs and Metadata of Deleted DMs
https://notcve.org/view.php?id=CVE-2025-0503
14 Feb 2025 — Mattermost versions 9.11.x <= 9.11.6 fail to filter out DMs from the deleted channels endpoint which allows an attacker to infer user IDs and other metadata from deleted DMs if someone had manually marked DMs as deleted in the database. • https://mattermost.com/security-updates • CWE-754: Improper Check for Unusual or Exceptional Conditions •
CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-20621 – Webapp crash via object that can't be cast to String in Attachment Field
https://notcve.org/view.php?id=CVE-2025-20621
16 Jan 2025 — Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the webapp to crash via creating and sending such a post to a channel. • https://mattermost.com/security-updates • CWE-1287: Improper Validation of Specified Type of Input •
CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-20088 – Insufficient Input Validation on Post Props
https://notcve.org/view.php?id=CVE-2025-20088
15 Jan 2025 — Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post. • https://mattermost.com/security-updates • CWE-1287: Improper Validation of Specified Type of Input •
CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-20086 – Insufficient Input Validation on Post Props
https://notcve.org/view.php?id=CVE-2025-20086
15 Jan 2025 — Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post. • https://mattermost.com/security-updates • CWE-1287: Improper Validation of Specified Type of Input •
CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-21088 – WebApp crash via improper validation of proto style in attachments
https://notcve.org/view.php?id=CVE-2025-21088
15 Jan 2025 — Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate the style of proto supplied to an action's style in post.props.attachments, which allows an attacker to crash the frontend via crafted malicious input. • https://mattermost.com/security-updates • CWE-704: Incorrect Type Conversion or Cast •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2025-20033 – DoS via custom post type for sysconsole plugin readers
https://notcve.org/view.php?id=CVE-2025-20033
09 Jan 2025 — Mattermost versions 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post types, which allows attackers to deny service to users with the sysconsole_read_plugins permission via creating a post with the custom_pl_notification type and specific props. • https://mattermost.com/security-updates • CWE-1287: Improper Validation of Specified Type of Input •
CVSS: 4.7EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22449 – Access control flaw for team admins allows unauthorized team additions
https://notcve.org/view.php?id=CVE-2025-22449
09 Jan 2025 — Mattermost versions 9.11.x <= 9.11.5 fail to enforce invite permissions, which allows team admins, with no permission to invite users to their team, to invite users by updating the "allow_open_invite" field via making their team public. • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •