Communication and Collaboration

In Mattermost versions 10.4.x ≤ 10.4.2, 10.5.x ≤ 10.5.0 and 9.11.x ≤ 9.11.9 a low severity vulnerability CVE-2025-31363 was detected. This vulnerability allows an authenticated user to exfiltrate data from an arbitrary server accessible to the victim by performing a prompt injection in the AI plugin’s Jira tool, due to a failure to restrict domains the LLM can request. To address this issue, users should upgrade Mattermost to versions 10.6.0, 10.4.3, 10.5.1, 9.11.10 or higher. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-31363.

In Mattermost Plugin MS Teams versions <2.1.0 and Mattermost Server versions 10.5.x ≤ 10.5.1 with the MS Teams plugin enabled a medium severity vulnerability CVE-2025-27936 was detected. This vulnerability allows an attacker to retrieve the webhook secret of the MS Teams plugin via a timing attack, due to a failure to perform constant time comparison on the webhook secret. To address this issue, users should upgrade Mattermost Plugin MSTeams to version 2.1.1 or Mattermost Server to versions 10.6.0, 10.5.2 or higher. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-27936.

In Mattermost versions 10.5.x ≤ 10.5.1, 10.4.x ≤ 10.4.3 and 9.11.x ≤ 9.11.9 a medium severity vulnerability CVE-2025-27571 was detected. This vulnerability allows authenticated users to access channel metadata from archived channels regardless of the “Allow Users to View Archived Channels” configuration setting. To address this issue, users should upgrade Mattermost to versions 10.6.0, 10.5.2, 10.4.4, 9.11.10 or higher. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-27571.

In Mattermost versions 10.5.x up to and including 10.5.1, 10.4.x up to and including 10.4.3, and 9.11.x up to and including 9.11.9 a medium severity vulnerability CVE-2025-32093 was detected. This vulnerability allows delegated granular administration users with the “Edit Other Users” permission to perform unauthorized modifications to system administrator accounts due to improper permission validation. To address this issue, users should upgrade Mattermost to versions 10.6.0, 10.5.2, 10.4.4, 9.11.10 or higher. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-32093.

In Mattermost Mobile Apps versions 2.25.0 and prior a low severity vulnerability CVE-2025-30516 was detected. This vulnerability causes sessions to remain active during logout under certain conditions (e.g., poor connectivity), potentially allowing unauthorized users on shared devices to access sensitive information via continued mobile notifications. To address this issue, users should update Mattermost Mobile Apps to versions 2.26.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-30516.

In Mattermost versions 9.11.x up to and including 9.11.8 a low severity vulnerability CVE-2025-24866 was detected. This vulnerability allows users with delegated granular administration roles, who lack Compliance Monitoring access, to retrieve User Activity Logs via the /api/v4/audits endpoint. To address this issue, users should upgrade Mattermost to versions 9.11.9 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-24866.

In Discourse versions before 3.3.4 on the stable branch and 3.4.0.beta5 on the beta branch a medium severity vulnerability CVE-2025-24808 was detected. A user close to the group DM limit could bypass the limit by sending multiple requests at once. To address this issue, users should upgrade Discourse to versions 3.3.4 or later, or 3.4.0.beta5 or later. For more details, visit https://avd.aquasec.com/nvd/2025/cve-2025-24808.

In Discourse versions prior to 3.3.4 on the stable branch and 3.4.0.beta5 on the beta branch a medium severity vulnerability CVE-2025-24972 was detected. In specific circumstances, users could be added to group direct messages despite having disabled direct messaging in their preferences. To address this issue, users should upgrade Discourse to versions 3.3.4 or later or 3.4.0.beta5 or later. For more details, visit https://avd.aquasec.com/nvd/2025/cve-2025-24972.

In Mattermost Mobile Apps versions 2.25.0 and prior a medium severity vulnerability CVE-2025-1558 was detected. This vulnerability allows attackers to cause the Android application to crash by sending a message containing a maliciously crafted GIF due to improper validation prior to rendering. To address this issue, users should upgrade Mattermost Mobile Apps to versions 2.26.0, 2.25.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-1558.