In Mattermost versions 10.5.x ≤ 10.5.5, 9.11.x ≤ 9.11.15, 10.8.x ≤ 10.8.0, 10.7.x ≤ 10.7.2 and 10.6.x ≤ 10.6.5 a critical severity vulnerability CVE-2025-4981 was detected. This vulnerability allows authenticated users to write files to arbitrary locations on the filesystem by uploading archives containing path traversal sequences in filenames, potentially leading to remote code execution. This affects instances where file attachments and content extraction are enabled (default configuration). Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4981.
Read more Communication
In Mattermost versions 10.7.x ≤ 10.7.1, 10.6.x ≤ 10.6.3, 10.5.x ≤ 10.5.4 and 9.11.x ≤ 9.11.13 a medium severity vulnerability CVE-2025-4573 was detected. This vulnerability allows an authenticated administrator with the `PermissionSysconsoleWriteUserManagementGroups` permission to perform LDAP search filter injection through the `PUT /api/v4/ldap/groups/{remote_id}/link` API endpoint when `objectGUID` is improperly validated. To address this issue, users should upgrade Mattermost to versions 10.7.2, 10.6.4, 10.5.5, 9.11.14 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4573.
Read more Communication
In Mattermost versions 10.5.x ≤ 10.5.4 and 9.11.x ≤ 9.11.13 a low severity vulnerability CVE-2025-4128 was detected. This vulnerability allows guest users to bypass permissions and access information about public teams they are not members of by making direct API calls to /api/v4/teams/{team_id}. To address this issue, users should upgrade Mattermost to versions 10.5.5 for the 10.5.x series or 9.11.14 for the 9.11.x series. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4128.
Read more Communication
In Discourse versions prior to 3.4.4 (stable branch), 3.5.0.beta5 (beta branch) and 3.5.0.beta6-dev (tests-passed branch) a high severity vulnerability CVE-2025-48053 was detected. This vulnerability allows attackers to reduce the availability of a Discourse instance by sending a malicious URL in a private message to a bot user. To address this issue, users should upgrade Discourse to versions 3.4.4 (stable branch), 3.5.0.beta5 (beta branch) or 3.5.0.beta6-dev (tests-passed branch). For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-48053.
Read more Communication
In Discourse prior to version 3.4.4 (stable branch), 3.5.0.beta5 (beta branch) and 3.5.0.beta6-dev (tests-passed branch) a high severity vulnerability CVE-2025-48877 was detected. This vulnerability allows attackers to execute arbitrary JavaScript through Codepen iframes included in the default allowed_iframes site setting. To address this issue, users should upgrade Discourse to versions 3.4.4 (stable branch), 3.5.0.beta5 (beta branch) and 3.5.0.beta6-dev (tests-passed branch). For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-48877.
Read more Communication
In Discourse versions prior to 3.4.4 (stable branch), 3.5.0.beta5 (beta branch) and 3.5.0.beta6-dev (tests-passed branch) a high severity vulnerability CVE-2025-48062 was detected. This vulnerability allows HTML injection in email bodies when invites to users without accounts include topic titles containing HTML, affecting both private message and topic invitations with custom messages. To address this issue, users should upgrade Discourse to versions 3.4.4, 3.5.0.beta5 or 3.5.0.beta6-dev. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-48062.
Read more Communication
In Mattermost versions 10.7.x ≤ 10.7.0, 10.5.x ≤ 10.5.3 and 9.11.x ≤ 9.11.12 a medium severity vulnerability CVE-2025-3611 was detected. This vulnerability allows authenticated users with System Manager privileges to bypass configured access restrictions and view team details through direct API requests, even when access to Teams is explicitly denied in the System Console. To address this issue, users should upgrade Mattermost to versions 10.7.1, 10.5.4, 9.11.13 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3611.
Read more Communication
In Mattermost versions 10.7.x ≤ 10.7.0, 10.6.x ≤ 10.6.2, 10.5.x ≤ 10.5.3 and 9.11.x ≤ 9.11.12 a medium severity vulnerability CVE-2025-3230 was detected. This vulnerability allows deactivated users to retain full system access by continuing to use previously issued personal access tokens, due to improper invalidation of these tokens after deactivation. To address this issue, users should upgrade Mattermost to versions 10.8.0, 10.7.1, 10.6.3, 10.5.4, 9.11.13 or higher. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3230.
Read more Communication
In Mattermost versions 10.7.x ≤ 10.7.0, 10.6.x ≤ 10.6.2, 10.5.x ≤ 10.5.3 and 9.11.x ≤ 9.11.12 a medium severity vulnerability CVE-2025-2571 was detected. This vulnerability allows attackers to gain unauthorized access to bot accounts via the Google OAuth signup flow, due to failure to clear associated Google OAuth credentials when converting user accounts to bot accounts. To address this issue, users should upgrade Mattermost to versions 10.7.1, 10.6.3, 10.5.4 and 9.11.13. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2571.
Read more Communication