Communication and Collaboration

In Mattermost Mobile Apps versions 2.25.0 and prior a medium severity vulnerability CVE-2025-1558 was detected. This vulnerability allows attackers to cause the Android application to crash by sending a message containing a maliciously crafted GIF due to improper validation prior to rendering. To address this issue, users should upgrade Mattermost Mobile Apps to versions 2.26.0, 2.25.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-1558.

In Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, and 10.5.x <= 10.5.0 a high severity vulnerability CVE-2025-25068 was detected. This vulnerability allows authenticated attackers to bypass MFA protections via API requests to plugin-specific routes. To address this issue, users should upgrade Mattermost to versions 10.6.0, 10.4.3, 10.3.4, 9.11.9, 10.5.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-25068.

In Mattermost versions 10.4.x up to and including 10.4.2, 10.3.x up to and including 10.3.3 and 9.11.x up to and including 9.11.8 a medium severity vulnerability CVE-2025-25274 was detected. This vulnerability allows authenticated users to execute commands in archived channels due to a failure to restrict command execution in those channels. To address this issue, users should upgrade Mattermost to versions 10.5.0, 10.4.3, 10.3.4, 9.11.9 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-25274.

In Mattermost versions 10.4.x up to and including 10.4.2, 10.3.x up to and including 10.3.3 and 9.11.x up to and including 9.11.8 a medium severity vulnerability CVE-2025-30179 was detected. This vulnerability allows authenticated attackers to bypass Multi-Factor Authentication (MFA) protections via user search, channel search, or team search queries, as MFA is not enforced on certain search APIs. To address this issue, users should upgrade Mattermost to versions 0.5.0, 10.4.3, 10.3.4, 9.11.9 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-30179.

In Mattermost versions 10.4.x up to and including 10.4.2, 10.3.x up to and including 10.3.3 and 9.11.x up to and including 9.11.8 a medium severity vulnerability CVE-2025-27933 was detected. This vulnerability allows members with permission to convert public channels to private ones to also convert private channels to public, due to a failure to enforce channel conversion restrictions. To address this issue, users should upgrade Mattermost to versions 10.5.0, 10.4.3, 10.3.4, 9.11.9 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-27933.

In Mattermost versions 10.4.x up to and including 10.4.2, 10.3.x up to and including 10.3.3, 9.11.x up to and including 9.11.8 and 10.5.x up to and including 10.5.0 a medium severity vulnerability CVE-2025-24920 was detected. This vulnerability allows authenticated users to create or update bookmarks in archived channels, due to a failure to restrict bookmark creation and updates in those channels. To address this issue, users should upgrade Mattermost to versions 10.6.0, 10.4.3, 10.3.4, 9.11.9, 10.5.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-24920.

In Mattermost versions 9.11.x up to and including 9.11.8 a low severity vulnerability CVE-2025-27715 was detected. This vulnerability allows team admins to join private channels via crafted permalink links without explicit approval, due to the failure to prompt for approval before adding a team admin to a private channel. To address this issue, users should upgrade Mattermost to versions 10.5.0, 9.11.9 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-27715.

In Mattermost versions 9.11.x up to and including 9.11.8 a medium severity vulnerability CVE-2025-1472 was detected. This vulnerability allows attackers with the Viewer role, even when configured with No Access to Reporting, to still view team and site statistics due to improper authorization enforcement. To address this issue, users should upgrade Mattermost to versions 9.11.9 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-1472.

In Mattermost Desktop App versions 5.10.0 and prior a low severity vulnerability CVE-2025-1398 was detected. This vulnerability allows attackers with remote access to bypass Transparency, Consent, and Control (TCC) via code injection due to explicitly declared unnecessary macOS entitlements. To address this issue, users should upgrade Mattermost to versions 5.11.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-1398.