CVSS: 6.1EPSS: %CPEs: 4EXPL: 0CVE-2025-8402 – Nil pointer dereference in bulk import crashes server
https://notcve.org/view.php?id=CVE-2025-8402
21 Aug 2025 — Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.0, 10.9.x <= 10.9.3 fail to validate import data which allows a system admin to crash the server via the bulk import feature. • https://mattermost.com/security-updates • CWE-476: NULL Pointer Dereference CWE-1287: Improper Validation of Specified Type of Input •
CVSS: 4.3EPSS: %CPEs: 3EXPL: 0CVE-2025-6465 – Path traversal in image upload with preview overwrite
https://notcve.org/view.php?id=CVE-2025-6465
21 Aug 2025 — Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 10.10.x <= 10.10.0, 10.9.x <= 10.9.3 fail to sanitize file names which allows users with file upload permission to overwrite file attachment thumbnails via path traversal in file streaming APIs. • https://mattermost.com/security-updates • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2025-47870 – Team invite ID leaked to team admin with no member invite privileges
https://notcve.org/view.php?id=CVE-2025-47870
21 Aug 2025 — Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fail to sanitize the team invite ID in the POST /api/v4/teams/:teamId/restore endpoint which allows an team admin with no member invite privileges to get the team’s invite id. • https://mattermost.com/security-updates • CWE-306: Missing Authentication for Critical Function •
CVSS: 6.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-49222 – Mattermost Shared Channel Upload Type Validation Bypass
https://notcve.org/view.php?id=CVE-2025-49222
21 Aug 2025 — Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2, 10.10.x <= 10.10.0 fail to validate upload types in remote cluster upload sessions which allows a system admin to upload non-attachment file types via shared channels that could potentially be placed in arbitrary filesystem directories. • https://mattermost.com/security-updates • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-8023 – Path Traversal in Template Upload Allows Uploading Files Outside Target Directory
https://notcve.org/view.php?id=CVE-2025-8023
21 Aug 2025 — Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fails to sanitize path traversal sequences in template file destination paths, which allows a system admin to perform path traversal attacks via malicious path components, potentially enabling malicious file placement outside intended directories. • https://mattermost.com/security-updates • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.7EPSS: 0%CPEs: 2EXPL: 0CVE-2025-53971 – Channel and Team Membership APIs inadvertently allow loss of Member privileges.
https://notcve.org/view.php?id=CVE-2025-53971
21 Aug 2025 — Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate authorization for team scheme role modifications which allows Team Admins to demote Team Members to Guests via the PUT /api/v4/teams/team-id/members/user-id/schemeRoles API endpoint. • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 4.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-47700 – AI plugin APIs can be triggered using post actions
https://notcve.org/view.php?id=CVE-2025-47700
21 Aug 2025 — Mattermost Server versions 10.5.x <= 10.5.9 utilizing the Agents plugin fail to reject empty request bodies which allows users to trick users into clicking malicious links via post actions • https://mattermost.com/security-updates • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 4.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-49810 – Thread summarization allows persistent access to channel
https://notcve.org/view.php?id=CVE-2025-49810
21 Aug 2025 — Mattermost versions 10.5.x <= 10.5.8 fail to validate access controls at time of access which allows user to read a thread via AI posts • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-36530 – Import Path Traversal Enables Unauthorized Unsigned Plugin Installation
https://notcve.org/view.php?id=CVE-2025-36530
21 Aug 2025 — Mattermost versions 10.9.x <= 10.9.1, 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate file paths during plugin import operations which allows restricted admin users to install unauthorized custom plugins via path traversal in the import functionality, bypassing plugin signature enforcement and marketplace restrictions. • https://mattermost.com/security-updates • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 2.2EPSS: 0%CPEs: 2EXPL: 0CVE-2025-6227 – Invite token is used as part of the secure communication
https://notcve.org/view.php?id=CVE-2025-6227
18 Jul 2025 — Mattermost versions 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 fail to negotiate a new token when accepting the invite which allows a user that intercepts both invite and password to send synchronization payloads to the server that originally created the invite via the REST API. • https://mattermost.com/security-updates • CWE-522: Insufficiently Protected Credentials •