CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-8402 – Nil pointer dereference in bulk import crashes server
https://notcve.org/view.php?id=CVE-2025-8402
21 Aug 2025 — Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.0, 10.9.x <= 10.9.3 fail to validate import data which allows a system admin to crash the server via the bulk import feature. • https://mattermost.com/security-updates • CWE-476: NULL Pointer Dereference CWE-1287: Improper Validation of Specified Type of Input •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2025-6465 – Path traversal in image upload with preview overwrite
https://notcve.org/view.php?id=CVE-2025-6465
21 Aug 2025 — Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 10.10.x <= 10.10.0, 10.9.x <= 10.9.3 fail to sanitize file names which allows users with file upload permission to overwrite file attachment thumbnails via path traversal in file streaming APIs. • https://mattermost.com/security-updates • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2025-47870 – Team invite ID leaked to team admin with no member invite privileges
https://notcve.org/view.php?id=CVE-2025-47870
21 Aug 2025 — Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fail to sanitize the team invite ID in the POST /api/v4/teams/:teamId/restore endpoint which allows an team admin with no member invite privileges to get the team’s invite id. • https://mattermost.com/security-updates • CWE-306: Missing Authentication for Critical Function •
CVSS: 6.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-49222 – Mattermost Shared Channel Upload Type Validation Bypass
https://notcve.org/view.php?id=CVE-2025-49222
21 Aug 2025 — Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2, 10.10.x <= 10.10.0 fail to validate upload types in remote cluster upload sessions which allows a system admin to upload non-attachment file types via shared channels that could potentially be placed in arbitrary filesystem directories. • https://mattermost.com/security-updates • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-8023 – Path Traversal in Template Upload Allows Uploading Files Outside Target Directory
https://notcve.org/view.php?id=CVE-2025-8023
21 Aug 2025 — Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fails to sanitize path traversal sequences in template file destination paths, which allows a system admin to perform path traversal attacks via malicious path components, potentially enabling malicious file placement outside intended directories. • https://mattermost.com/security-updates • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-36530 – Import Path Traversal Enables Unauthorized Unsigned Plugin Installation
https://notcve.org/view.php?id=CVE-2025-36530
21 Aug 2025 — Mattermost versions 10.9.x <= 10.9.1, 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate file paths during plugin import operations which allows restricted admin users to install unauthorized custom plugins via path traversal in the import functionality, bypassing plugin signature enforcement and marketplace restrictions. • https://mattermost.com/security-updates • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-6233 – Arbitrary file read by system admin via path traversal
https://notcve.org/view.php?id=CVE-2025-6233
18 Jul 2025 — Mattermost versions 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 fail to sanitize input paths of file attachments in the bulk import JSONL file, which allows a system admin to read arbitrary system files via path traversal. Las versiones de Mattermost 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 no logran depurar las rutas de entrada de los archivos adjuntos en el archivo JSONL de importación masiva, lo que permite que un administrador del si... • https://mattermost.com/security-updates • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-6226 – IDOR in CreatePost API allows for timeboxed message disclosure
https://notcve.org/view.php?id=CVE-2025-6226
18 Jul 2025 — Mattermost versions 10.5.x <= 10.5.6, 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 9.11.x <= 9.11.16 fail to verify authorization when retrieving cached posts by PendingPostID which allows an authenticated user to read posts in private channels they don't have access to via guessing the PendingPostID of recently created posts. Las versiones de Mattermost 10.5.x <= 10.5.6, 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 9.11.x <= 9.11.16 no pueden verificar la autorización al recuperar publicaciones en caché mediante... • https://mattermost.com/security-updates • CWE-306: Missing Authentication for Critical Function •
CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 0CVE-2025-47871 – Mattermost Playbooks exposes private channel metadata to unauthorized users via run metadata API
https://notcve.org/view.php?id=CVE-2025-47871
30 Jun 2025 — Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly validate channel membership when retrieving playbook run metadata, allowing authenticated users who are playbook members but not channel members to access sensitive information about linked private channels including channel name, display name, and participant count through the run metadata API endpoint. • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-46702 – Mattermost Playbooks allows privilege escalation through improper access control in playbook run participant management
https://notcve.org/view.php?id=CVE-2025-46702
30 Jun 2025 — Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly enforce channel member management permissions when adding participants to playbook runs. This allows authenticated users with member-level permissions to bypass system admin restrictions and add or remove users to/from private channels via the playbook run participants feature, even when the 'Manage Members' permission has been explicitly removed. This can lead to unauthorized acces... • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •