Communication and Collaboration

In Mattermost versions 10.2.x up to and including 10.2.0, 9.11.x up to and including 9.11.5, 10.0.x up to and including 10.0.3, 10.1.x up to and including 10.1.3 a medium severity vulnerability CVE-2025-21088 was detected. This vulnerability allows an attacker to crash the frontend by crafting malicious input that improperly validates the style of proto supplied to an action’s style in post.props.attachments. To address this issue, users should upgrade Mattermost to version 10.2.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-21088.

In Mattermost versions 10.2.x up to and including 10.2.0, 9.11.x up to and including 9.11.5, 10.0.x up to and including 10.0.3, 10.1.x up to and including 10.1.3 a medium severity vulnerability CVE-2025-20086 was detected. This vulnerability allows a malicious authenticated user to cause a crash by creating a malicious post with improperly validated post props. To address this issue, users should upgrade Mattermost to version 10.2.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-20086.

In Zulip versions 10.0-dev after commit 50256f48314250978f521ef439cafa704e056539 a medium severity vulnerability CVE-2025-25195 was detected. This vulnerability allows attackers to view the names of private channels through improperly scoped inactivity notifications sent to all users in the organization. To address this issue, users should upgrade Zulip to 10.0-dev at commit 75be449d456d29fef27e9d1828bafa30174284b4. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-25195.

In Mattermost versions 10.2.x up to and including 10.2.0, 9.11.x up to and including 9.11.5, 10.0.x up to and including 10.0.3, 10.1.x up to and including 10.1.3 a medium severity vulnerability CVE-2025-20088 was detected. This vulnerability allows a malicious authenticated user to cause a crash by creating a malicious post with improperly validated post props. To address this issue, users should upgrade Mattermost to version 10.2.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-20088.

In Mattermost versions 9.11.x up to 9.11.6 a low severity vulnerability CVE-2025-0503 was detected. This vulnerability allows attackers to infer user IDs and other metadata from deleted DMs when manually marked as deleted in the database. To address this issue, users should upgrade Mattermost to version 10.4.0 or 9.11.7. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-0503.

In Mattermost versions 10.x up to and including 10.2 a low severity vulnerability CVE-2025-22445 was detected. This vulnerability allows confusion for administrators regarding a Calls security-sensitive configuration due to inaccurate UI reporting of missing settings. To address this issue, users should upgrade Mattermost to version 10.3 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-22445.

In Mattermost Mobile Apps versions 2.22.0 and prior a medium severity vulnerability CVE-2025-0476 was detected. This vulnerability allows an attacker to crash the mobile app for any user who opens a channel containing a specially crafted attachment. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-0476.

In Mattermost versions 9.11.x up to and including 9.11.5 a low severity vulnerability CVE-2025-22449 was detected. This vulnerability allows team admins without permission to invite users to their team to bypass restrictions by updating the “allow_open_invite” field, making their team public and inviting users. To address this issue, users should upgrade Mattermost to version 9.11.6 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-22449.

In Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, and 9.5.x <= 9.5.12 a medium severity vulnerability CVE-2024-54083 was detected. This vulnerability allows attackers to cause a client-side denial of service (DoS) to users of particular channels by sending specially crafted posts. To address this issue, users should upgrade Mattermost to version 10.1.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-54083.