In Mattermost versions 11.1.x ≤ 11.1.0, 11.0.x ≤ 11.0.5, 10.12.x ≤ 10.12.3 and 10.11.x ≤ 10.11.7 a medium severity vulnerability CVE-2025-64641 was detected. This vulnerability allows attackers to exfiltrate Jira issue data by crafting malicious post actions that abuse the share-issue-publicly endpoint, due to insufficient validation that such actions originate from the official Jira plugin. To address this issue, users should upgrade Mattermost to versions 11.2.0, 11.1.1, 11.0.6, 10.12.4, 10.11.8 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-64641.
Read more CommunicationIn Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 and Mattermost Jira plugin versions <=4.4.0 a medium severity vulnerability CVE-2025-14273 was detected. This vulnerability allows unauthenticated attackers to issue forged GET and POST requests to the Jira server by spoofing user IDs and injecting arbitrary issue key paths due to improper enforcement of authentication and path restrictions in the Jira plugin. To address this issue, users should upgrade Mattermost to versions 11.2.0, 11.1.1, 11.0.6, 10.12.4, 10.11.8 or later and Mattermost Jira plugin to version 4.4.1 or higher. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-14273.
Read more CommunicationIn Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3 and 10.11.x <= 10.11.7 a medium severity vulnerability CVE-2025-13767 was detected. This vulnerability allows attackers to read content and attachments from private channels without proper membership validation when using the Jira plugin. To address this issue, users should upgrade Mattermost to versions 11.2.0, 11.1.1, 11.0.6, 10.12.4, 10.11.8 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-13767.
Read more CommunicationIn Forgejo versions prior to 13.0.2 (and 11 LTS prior to 11.0.7) a critical severity vulnerability CVE-2025-68937 was detected. This vulnerability allows attackers to write to unintended files and potentially gain shell access due to improper handling of out-of-repository symlink destinations in template repositories. To address this issue, users should upgrade Forgejo to version 13.0.2 or later, or 11.0.7 or later for the LTS branch. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-68937.
Read more Developer ToolsIn Gitea versions prior to 1.20.1 a medium severity vulnerability CVE-2025-68946 was detected. This vulnerability allows attackers to perform cross-site scripting (XSS) by injecting forbidden URL schemes such as javascript: into links, which can then be executed in a victim’s browser. To address this issue, users should upgrade Gitea to version 1.20.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-68946.
Read more Developer ToolsIn Mattermost versions 10.11.x up to and including 10.11.5, 11.0.x up to and including 11.0.4, and 10.12.x up to and including 10.12.2 a medium severity vulnerability CVE-2025-13324 was detected. This vulnerability allows attackers who intercept invite tokens to reuse them after initial use, enabling unauthorized manipulation of channel memberships, including adding or removing users from private channels via a token replay attack. To address this issue, users should upgrade Mattermost to versions 11.1.0, 10.11.6, 11.0.5, 10.12.3 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-13324.
Read more CommunicationIn Mattermost versions 11.0.x ≤ 11.0.4, 10.12.x ≤ 10.12.2, and 10.11.x ≤ 10.11.6 a medium severity vulnerability CVE-2025-12689 was detected. This vulnerability allows attackers to crash the Mattermost Calls plugin by sending malformed WebSocket requests that are not properly validated for UTF-8 encoding, resulting in a denial-of-service condition. To address this issue, users should upgrade Mattermost to versions 11.1.0, 11.0.5, 10.12.3, 10.11.7 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-12689.
Read more CommunicationIn Mattermost Desktop App versions prior to 6.0.0 a low severity vulnerability CVE-2025-13326 was detected. This vulnerability allows attackers to inherit macOS Transparency, Consent, and Control (TCC) permissions by copying the application binary to a temporary folder due to the Hardened Runtime not being enabled when the app is packaged for the Mac App Store. To address this issue, users should upgrade Mattermost Desktop App to version 6.0.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-13326.
Read more CommunicationIn Mattermost Desktop App versions below 6.0.0 a low severity vulnerability CVE-2025-13321 was detected. This vulnerability allows attackers with access to a user’s system to gain access to potentially sensitive information by reading unsanitized application logs and data not cleared upon server deletion. To address this issue, users should upgrade Mattermost Desktop App to version 6.0.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-13321.
Read more Communication