Communication and Collaboration

In Mattermost versions 9.11.x up to and including 9.11.8 a low severity vulnerability CVE-2025-24866 was detected. This vulnerability allows users with delegated granular administration roles, who lack Compliance Monitoring access, to retrieve User Activity Logs via the /api/v4/audits endpoint. To address this issue, users should upgrade Mattermost to versions 9.11.9 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-24866.

In Discourse versions before 3.3.4 on the stable branch and 3.4.0.beta5 on the beta branch a medium severity vulnerability CVE-2025-24808 was detected. A user close to the group DM limit could bypass the limit by sending multiple requests at once. To address this issue, users should upgrade Discourse to versions 3.3.4 or later, or 3.4.0.beta5 or later. For more details, visit https://avd.aquasec.com/nvd/2025/cve-2025-24808.

In Discourse versions prior to 3.3.4 on the stable branch and 3.4.0.beta5 on the beta branch a medium severity vulnerability CVE-2025-24972 was detected. In specific circumstances, users could be added to group direct messages despite having disabled direct messaging in their preferences. To address this issue, users should upgrade Discourse to versions 3.3.4 or later or 3.4.0.beta5 or later. For more details, visit https://avd.aquasec.com/nvd/2025/cve-2025-24972.

In Mattermost Mobile Apps versions 2.25.0 and prior a medium severity vulnerability CVE-2025-1558 was detected. This vulnerability allows attackers to cause the Android application to crash by sending a message containing a maliciously crafted GIF due to improper validation prior to rendering. To address this issue, users should upgrade Mattermost Mobile Apps to versions 2.26.0, 2.25.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-1558.

In Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, and 10.5.x <= 10.5.0 a high severity vulnerability CVE-2025-25068 was detected. This vulnerability allows authenticated attackers to bypass MFA protections via API requests to plugin-specific routes. To address this issue, users should upgrade Mattermost to versions 10.6.0, 10.4.3, 10.3.4, 9.11.9, 10.5.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-25068.

In Mattermost versions 10.4.x up to and including 10.4.2, 10.3.x up to and including 10.3.3 and 9.11.x up to and including 9.11.8 a medium severity vulnerability CVE-2025-25274 was detected. This vulnerability allows authenticated users to execute commands in archived channels due to a failure to restrict command execution in those channels. To address this issue, users should upgrade Mattermost to versions 10.5.0, 10.4.3, 10.3.4, 9.11.9 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-25274.

In Mattermost versions 10.4.x up to and including 10.4.2, 10.3.x up to and including 10.3.3 and 9.11.x up to and including 9.11.8 a medium severity vulnerability CVE-2025-30179 was detected. This vulnerability allows authenticated attackers to bypass Multi-Factor Authentication (MFA) protections via user search, channel search, or team search queries, as MFA is not enforced on certain search APIs. To address this issue, users should upgrade Mattermost to versions 0.5.0, 10.4.3, 10.3.4, 9.11.9 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-30179.

In Mattermost versions 10.4.x up to and including 10.4.2, 10.3.x up to and including 10.3.3 and 9.11.x up to and including 9.11.8 a medium severity vulnerability CVE-2025-27933 was detected. This vulnerability allows members with permission to convert public channels to private ones to also convert private channels to public, due to a failure to enforce channel conversion restrictions. To address this issue, users should upgrade Mattermost to versions 10.5.0, 10.4.3, 10.3.4, 9.11.9 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-27933.

In Mattermost versions 10.4.x up to and including 10.4.2, 10.3.x up to and including 10.3.3, 9.11.x up to and including 9.11.8 and 10.5.x up to and including 10.5.0 a medium severity vulnerability CVE-2025-24920 was detected. This vulnerability allows authenticated users to create or update bookmarks in archived channels, due to a failure to restrict bookmark creation and updates in those channels. To address this issue, users should upgrade Mattermost to versions 10.6.0, 10.4.3, 10.3.4, 9.11.9, 10.5.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-24920.