CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1558 – Denial of Service Via Malicious GIF
https://notcve.org/view.php?id=CVE-2025-1558
24 Mar 2025 — Mattermost Mobile Apps versions <=2.25.0 fail to properly validate GIF images prior to rendering which allows a malicious user to cause the Android application to crash via message containing a maliciously crafted GIF. • https://mattermost.com/security-updates • CWE-1287: Improper Validation of Specified Type of Input •
CVSS: 9.0EPSS: 0%CPEs: 4EXPL: 0CVE-2025-25068 – Bypassing MFA Enforcement on Plugin Endpoints
https://notcve.org/view.php?id=CVE-2025-25068
21 Mar 2025 — Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, 10.5.x <= 10.5.0 fail to enforce MFA on plugin endpoints, which allows authenticated attackers to bypass MFA protections via API requests to plugin-specific routes. • https://mattermost.com/security-updates • CWE-306: Missing Authentication for Critical Function •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2025-24920 – Unauthorized Bookmark Creation and Modification in Archived Channels
https://notcve.org/view.php?id=CVE-2025-24920
21 Mar 2025 — Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, 10.5.x <= 10.5.0 fail to restrict bookmark creation and updates in archived channels, which allows authenticated users created or update bookmarked in archived channels Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, 10.5.x <= 10.5.0 fail to restrict bookmark creation and updates in archived channels, which allows authenticated users created or update bookmarked in archived channels • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2025-30179 – MFA Enforcement Bypass in Search APIs
https://notcve.org/view.php?id=CVE-2025-30179
21 Mar 2025 — Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to enforce MFA on certain search APIs, which allows authenticated attackers to bypass MFA protections via user search, channel search, or team search queries. • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2025-25274 – Unauthorized Command Execution in Archived Channels
https://notcve.org/view.php?id=CVE-2025-25274
21 Mar 2025 — Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to restrict command execution in archived channels, which allows authenticated users to run commands in archived channels. Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to restrict command execution in archived channels, which allows authenticated users to run commands in archived channels. • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-27933 – Unauthorized Private-to-Public Channel Conversion
https://notcve.org/view.php?id=CVE-2025-27933
21 Mar 2025 — Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to fail to enforce channel conversion restrictions, which allows members with permission to convert public channels to private ones to also convert private ones to public • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 3.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27715 – Auto-Enrollment of Team Admins into Private Channels without explicit consent
https://notcve.org/view.php?id=CVE-2025-27715
21 Mar 2025 — Mattermost versions 9.11.x <= 9.11.8 fail to prompt for explicit approval before adding a team admin to a private channel, which team admins to joining private channels via crafted permalink links without explicit consent from them. • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1472 – Unauthorized View Access to Site Statistics and Team Statistics
https://notcve.org/view.php?id=CVE-2025-1472
19 Mar 2025 — Mattermost versions 9.11.x <= 9.11.8 fail to properly perform authorization of the Viewer role which allows an attacker with the Viewer role configured with No Access to Reporting to still view team and site statistics. • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1398 – macOS TCC Bypass via Code Injection
https://notcve.org/view.php?id=CVE-2025-1398
17 Mar 2025 — Mattermost Desktop App versions <=5.10.0 explicitly declared unnecessary macOS entitlements which allows an attacker with remote access to bypass Transparency, Consent, and Control (TCC) via code injection. • https://mattermost.com/security-updates • CWE-426: Untrusted Search Path •
CVSS: 9.9EPSS: 0%CPEs: 4EXPL: 0CVE-2025-20051 – Arbitrary file read via block duplication in Mattermost Boards
https://notcve.org/view.php?id=CVE-2025-20051
24 Feb 2025 — Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to properly validate input when patching and duplicating a board, which allows a user to read any arbitrary file on the system via duplicating a specially crafted block in Boards. • https://mattermost.com/security-updates • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •