In Mattermost versions 10.4.x ≤ 10.4.1, 9.11.x ≤ 9.11.7, 10.3.x ≤ 10.3.2, and 10.2.x ≤ 10.2.2 a critical severity vulnerability CVE-2025-24490 was detected. This vulnerability allows attackers to retrieve sensitive data from the database via SQL injection due to the failure to use prepared statements when reordering specially crafted board categories. To address this issue, users should upgrade Mattermost to versions 9.0.5 or higher. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-24490.
Read more Communication
In Mastodon versions prior to 4.1.23, 4.2.16 and 4.3.4 a medium severity vulnerability CVE-2025-27399 was detected. This vulnerability allows unapproved users to view domain block reasons when the visibility is set to “To logged-in users,” potentially exposing sensitive moderation details. To address this issue, users should upgrade Mastodon to versions 4.1.23, 4.2.16 or 4.3.4. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-27399.
Read more Communication
In Mattermost versions 9.11.x up to 9.11.6 and 10.4.x up to 10.4.1 a low severity vulnerability CVE-2025-1412 was detected. The issue allows users converted to bots to retain their previous permissions, potentially escalating privileges. To address this issue, users should upgrade Mattermost to version 9.11.7 or 10.4.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-1412.
Read more Communication
In Mattermost versions 10.4.x up to 10.4.1, 9.11.x up to 9.11.7, 10.3.x up to 10.3.2 and 10.2.x up to 10.2.2 a critical severity vulnerability CVE-2025-20051 was detected. This vulnerability allows attackers to read arbitrary files on the system by exploiting improper input validation when patching and duplicating a board, specifically through duplicating a specially crafted block in Boards. To address this issue, users should upgrade Mattermost to versions 10.4.2 or later, 10.3.3 or later, 10.2.3 or later and 9.11.8 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-20051.
Read more Communication
In Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, and 10.2.x <= 10.2.2 a critical severity vulnerability CVE-2025-25279 was detected. This vulnerability allows attackers to read any arbitrary file on the system by importing and exporting a specially crafted import archive in Boards. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2025/cve-2025-25279.
Read more Communication
In Mattermost versions 9.11.0 <= 9.11.7, 10.1.0 <= 10.1.3, 10.2.0 <= 10.2.2, 10.3.0 <= 10.3.2, and 10.4.0 <= 10.4.1 a medium severity vulnerability CVE-2025-24526 was detected. This allows users to export archived channel contents without proper access. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2025/cve-2025-24526.
Read more Communication
In Discourse versions 3.3.2 and prior on the `stable` branch and 3.4.0.beta3 and prior on the `beta` and `tests-passed` branches a medium severity vulnerability CVE-2024-53851 was detected. This vulnerability allows authenticated users to cause a denial of service by exploiting the endpoint for generating inline oneboxes for URLs. To address this issue, users should upgrade Discourse to version 3.3.3 and later on the `stable` branch or version 3.4.0.beta4 and later on the `beta` and `tests-passed` branches. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-53851.
Read more Communication
In Discourse versions prior to 3.3.3 on the `stable` branch and prior to 3.4.0.beta4 on the `tests-passed` branch a medium severity vulnerability CVE-2024-53266 was detected. This vulnerability allows attackers to execute arbitrary JavaScript via the user’s profile activity streams. To address this issue, users should upgrade Discourse to version 3.3.3 and later on the `stable` branch or version 3.4.0.beta4 and later on the `tests-passed` branches. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-53266.
Read more Communication
In Discourse versions 3.3.3 and prior on the `stable` branch and 3.4.0.beta3 and prior on the `beta` and `tests-passed` branches a medium severity vulnerability CVE-2024-56328 was detected. This vulnerability allows attackers to post malicious links that can execute harmful code in users’ browsers if Content Security Policy protection is disabled on the site. To fix this issue, users should upgrade Discourse to versions 3.3.4 and later on the `stable` branch or version 3.4.0.beta4 and later on the `beta` and `tests-passed` branches. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-56328.
Read more Communication