In Mattermost versions 10.7.0 and earlier, 10.6.2 and earlier, 10.5.3 and earlier, and 9.11.12 and earlier a medium severity vulnerability CVE-2025-3913 was detected. This vulnerability allows team administrators without the ‘invite user’ permission to access and modify team invite IDs via the /api/v4/teams/:teamId/privacy endpoint due to improper permission validation when changing team privacy settings. To address this issue, users should upgrade Mattermost to versions 10.7.1, 10.6.3, 10.5.4, 9.11.13 or 8.0.0-20250412152950-02c76784380a. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3913.
Read more Communication
In Mattermost versions 10.5.x ≤ 10.5.3 and 9.11.x ≤ 9.11.11 a low severity vulnerability CVE-2025-2570 was detected. This vulnerability allows a System Manager to access `ExperimentalSettings` via the System Console even when the `RestrictSystemAdmin` setting is true, due to improper access control. To address this issue, users should upgrade Mattermost to versions above 10.5.3 or 9.11.11. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2570.
Read more Communication
In Zulip versions 10.0 to before 10.3 a medium severity vulnerability CVE-2025-47930 was detected. This vulnerability allows attackers to bypass the “Who can create public channels” access control by creating a private or web-public channel and then changing its privacy setting to public. Similarly, private channels can be created without proper permissions using the API or by altering HTML. To address this issue, users should upgrade Zulip to version 10.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-47930.
Read more Communication
In Mattermost versions 10.6.x ≤ 10.6.1, 10.5.x ≤ 10.5.2, 10.4.x ≤ 10.4.4 and 9.11.x ≤ 9.11.11 a medium severity vulnerability CVE-2025-31947 was detected. This vulnerability allows attackers to cause external LDAP accounts to be locked out by triggering repeated login failures through Mattermost, as LDAP users are not locked out properly. To address this issue, users should upgrade Mattermost to versions 10.7.0, 10.6.2, 10.5.3, 10.4.5, 9.11.12 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-31947.
Read more Communication
In Mattermost versions 10.6.x ≤ 10.6.1, 10.5.x ≤ 10.5.2, 10.4.x ≤ 10.4.4 and 9.11.x ≤ 9.11.11 a medium severity vulnerability CVE-2025-3446 was detected. This vulnerability allows authenticated users with permission only to invite non-guest users to add guest users to teams via the API. To address this issue, users should upgrade Mattermost to versions 10.7.0, 10.6.2, 10.5.3, 10.4.5, 9.11.12 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3446.
Read more Communication
In Discourse versions between commits 10df7fdee060d44accdee7679d66d778d1136510 and 82d84af6b0efbd9fa2aeec3e91ce7be1a768511b on the 3.5.0.beta4 branch a medium severity vulnerability CVE-2025-46813 was detected. This vulnerability allows unauthenticated users to view private homepage content on login-required sites deployed during the affected window. To address this issue, users should upgrade Discourse to versions above commit 82d84af6b0efbd9fa2aeec3e91ce7be1a768511b. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-46813.
Read more Communication
In Discourse versions prior to 3.4.3 (stable) and 3.5.0.beta3 (beta) a medium severity vulnerability CVE-2025-32376 was detected. This vulnerability allows attackers to bypass the user limit for direct messages (DMs), potentially enabling the creation of a DM including every user on a site. To address this issue, users should upgrade Discourse to versions 3.4.3 (stable) or later, 3.5.0.beta3 (beta) or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-32376.
Read more Communication
In Mattermost versions 10.4.x ≤ 10.4.2, 10.5.x ≤ 10.5.0 and 9.11.x ≤ 9.11.10 a medium severity vulnerability CVE-2025-41395 was detected. This issue arises from improper validation of `props` in the `RetrospectivePost` custom post type in the Playbooks plugin, allowing attackers to craft posts that can trigger a denial of service (DoS) across the web app for all users. To address this issue, users should upgrade Mattermost to versions 10.6.0, 10.4.3, 10.5.1, 9.11.11 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-41395.
Read more Communication
In Mattermost versions 10.4.x ≤ 10.4.2, 10.5.x ≤ 10.5.0 and 9.11.x ≤ 9.11.10 a medium severity vulnerability CVE-2025-35965 was identified. The issue lies in the failure to validate the uniqueness and quantity of task actions within the UpdateRunTaskActions GraphQL operation, allowing attackers to create tasks with excessive triggered actions that can overwhelm the server and cause a denial-of-service (DoS) condition. To resolve this issue, users should upgrade Mattermost to versions 10.6.0, 10.4.3, 10.5.1, 9.11.11 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-35965.
Read more Communication