Communication and Collaboration

In Mattermost versions 10.4.x ≤ 10.4.2, 10.5.x ≤ 10.5.0 and 9.11.x ≤ 9.11.10 a low severity vulnerability CVE-2025-41423 was detected. This issue allows any user or attacker to delete posts created by the Playbooks bot through the `/plugins/playbooks/api/v0/signal/keywords/ignore-thread` API endpoint, even without channel access or proper permissions. To address this issue, users should upgrade Mattermost to versions 10.6.0, 10.4.3, 10.5.1, 9.11.11 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-41423.

In Mattermost versions 10.5.x ≤ 10.5.1, 10.4.x ≤ 10.4.3 and 9.11.x ≤ 9.11.9 a medium severity vulnerability CVE-2025-2564 was detected. This vulnerability allows authenticated users to view members and member information of archived channels even when the ‘Allow users to view/update archived channels’ setting is disabled. To address this issue, users should upgrade Mattermost to versions 10.5.2, 10.4.4, 9.11.10 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2564.

In Zulip versions prior to 10.2 a high severity vulnerability CVE-2025-31478 was detected. This vulnerability allows attackers to create accounts in organizations configured to use SSO-only authentication, even without having an account with the configured SSO backend. To address this issue, users should upgrade Zulip to version 10.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-31478.

In Mattermost versions 10.5.0 to 10.5.1 and 9.11.0 to 9.11.9 a low severity vulnerability CVE-2025-27538 was detected. This vulnerability allows users with certain permissions to turn MFA on or off for other users without proper checks. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2025/cve-2025-27538.

In Mattermost versions 10.5.x ≤ 10.5.1, 10.4.x ≤ 10.4.3 and 9.11.x ≤ 9.11.9 a medium severity vulnerability CVE-2025-2475 was detected. This vulnerability allows attackers to log in once using normal credentials after a user account is converted to a bot, due to improper cache invalidation. To address this issue, users should upgrade Mattermost to versions 10.6.0, 10.5.2, 10.4.4, 9.11.10 or higher. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2475.

In Mattermost versions 10.5.x ≤ 10.5.1 and 9.11.x ≤ 9.11.9 a low severity vulnerability CVE-2025-2424 was detected. This vulnerability allows attackers who know the IDs of deleted files to obtain their metadata by creating bookmarks, due to missing checks on file deletion. To address this issue, users should upgrade Mattermost to versions 10.5.2 or later for the 10.5.x series and 9.11.10 or later for the 9.11.x series. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2424.

In Mattermost versions 10.4.x ≤ 10.4.2, 10.5.x ≤ 10.5.0 and 9.11.x ≤ 9.11.9 a low severity vulnerability CVE-2025-31363 was detected. This vulnerability allows an authenticated user to exfiltrate data from an arbitrary server accessible to the victim by performing a prompt injection in the AI plugin’s Jira tool, due to a failure to restrict domains the LLM can request. To address this issue, users should upgrade Mattermost to versions 10.6.0, 10.4.3, 10.5.1, 9.11.10 or higher. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-31363.

In Mattermost Plugin MS Teams versions <2.1.0 and Mattermost Server versions 10.5.x ≤ 10.5.1 with the MS Teams plugin enabled a medium severity vulnerability CVE-2025-27936 was detected. This vulnerability allows an attacker to retrieve the webhook secret of the MS Teams plugin via a timing attack, due to a failure to perform constant time comparison on the webhook secret. To address this issue, users should upgrade Mattermost Plugin MSTeams to version 2.1.1 or Mattermost Server to versions 10.6.0, 10.5.2 or higher. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-27936.

In Mattermost versions 10.5.x ≤ 10.5.1, 10.4.x ≤ 10.4.3 and 9.11.x ≤ 9.11.9 a medium severity vulnerability CVE-2025-27571 was detected. This vulnerability allows authenticated users to access channel metadata from archived channels regardless of the “Allow Users to View Archived Channels” configuration setting. To address this issue, users should upgrade Mattermost to versions 10.6.0, 10.5.2, 10.4.4, 9.11.10 or higher. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-27571.