Communication and Collaboration

In Mattermost versions 10.4.x up to and including 10.4.2, 10.3.x up to and including 10.3.3 and 9.11.x up to and including 9.11.8 a medium severity vulnerability CVE-2025-25274 was detected. This vulnerability allows authenticated users to execute commands in archived channels due to a failure to restrict command execution in those channels. To address this issue, users should upgrade Mattermost to versions 10.5.0, 10.4.3, 10.3.4, 9.11.9 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-25274.

In Mattermost versions 9.11.x up to and including 9.11.8 a medium severity vulnerability CVE-2025-1472 was detected. This vulnerability allows attackers with the Viewer role, even when configured with No Access to Reporting, to still view team and site statistics due to improper authorization enforcement. To address this issue, users should upgrade Mattermost to versions 9.11.9 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-1472.

In Mattermost Desktop App versions 5.10.0 and prior a low severity vulnerability CVE-2025-1398 was detected. This vulnerability allows attackers with remote access to bypass Transparency, Consent, and Control (TCC) via code injection due to explicitly declared unnecessary macOS entitlements. To address this issue, users should upgrade Mattermost to versions 5.11.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-1398.

In Mattermost versions 10.4.x ≤ 10.4.1, 9.11.x ≤ 9.11.7, 10.3.x ≤ 10.3.2, and 10.2.x ≤ 10.2.2 a critical severity vulnerability CVE-2025-24490 was detected. This vulnerability allows attackers to retrieve sensitive data from the database via SQL injection due to the failure to use prepared statements when reordering specially crafted board categories. To address this issue, users should upgrade Mattermost to version to version 9.0.5 or higher. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-24490.

In Mastodon versions prior to 4.1.23, 4.2.16 and 4.3.4 a medium severity vulnerability CVE-2025-27399 was detected. This vulnerability allows unapproved users to view domain block reasons when the visibility is set to “To logged-in users,” potentially exposing sensitive moderation details. To address this issue, users should upgrade Mastodon to versions 4.1.23, 4.2.16 or 4.3.4. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-27399.

In Mattermost versions 9.11.x up to 9.11.6 and 10.4.x up to 10.4.1 a low severity vulnerability CVE-2025-1412 was detected. The issue allows users converted to bots to retain their previous permissions, potentially escalating privileges. To address this issue, users should upgrade Mattermost to version 9.11.7 or 10.4.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-1412.

In Mattermost versions 10.4.x up to 10.4.1, 9.11.x up to 9.11.7, 10.3.x up to 10.3.2 and 10.2.x up to 10.2.2 a critical severity vulnerability CVE-2025-20051 was detected. This vulnerability allows attackers to read arbitrary files on the system by exploiting improper input validation when patching and duplicating a board, specifically through duplicating a specially crafted block in Boards. To address this issue, users should upgrade Mattermost to versions 10.4.2 or later, 10.3.3 or later, 10.2.3 or later and 9.11.8 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-20051.

In Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, and 10.2.x <= 10.2.2 a critical severity vulnerability CVE-2025-25279 was detected. This vulnerability allows attackers to read any arbitrary file on the system by importing and exporting a specially crafted import archive in Boards. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2025/cve-2025-25279.

In Mattermost versions 9.11.0 <= 9.11.7, 10.1.0 <= 10.1.3, 10.2.0 <= 10.2.2, 10.3.0 <= 10.3.2, and 10.4.0 <= 10.4.1 a medium severity vulnerability CVE-2025-24526 was detected. This allows users to export archived channel contents without proper access. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2025/cve-2025-24526.