Mattermost Server 10.5.0
Approved changes feed: RSS · Atom
cpe:2.3:a:mattermost:mattermost_server:10.5.0:-:*:*:*:*:*:*
part: a version: 10.5.0 update: -
| Vendor | Mattermost (ed0788ef-af60-58f1-b6aa-68289d9946dc) |
|---|---|
| Product | Mattermost Server (657bc445-594e-5ca1-a676-4f18538f1c02) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from NVD CPE 2.0 feed |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
pkg:github/mattermost/mattermost-server |
purl2cpe | 2026-06-01 10:18:19.891734 |
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2025-41423 |
vulnerable | 2026-06-03 15:01:14.856578 |
Unauthorized Playbooks Post Deletion in Mattermost Playbooks Plugin
LOW (3.1)
Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to properly validate permissions for the API endpoint /plugins/playbooks/api/v0/signal/keywords/ignore-thread, allowing any user or attacker to delete posts containing actions created by the Playbooks bot, even without channel access or appropriate permissions.
Published: 2025-04-24T06:50:12.214Z
Updated: 2025-04-24T13:06:53.385Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-35965 |
vulnerable | 2026-06-03 15:00:52.246831 |
DoS in Mattermost Playbooks via Excessive Task Actions
MEDIUM (6.5)
Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to validate the uniqueness and quantity of task actions within the UpdateRunTaskActions GraphQL operation, which allows an attacker to create task items containing an excessive number of actions triggered by specific posts, overloading the server and leading to a denial-of-service (DoS) condition.
Published: 2025-04-24T06:49:22.669Z
Updated: 2025-04-24T13:06:59.413Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-31363 |
vulnerable | 2026-06-03 15:00:30.517499 |
Data exfiltration via AI plugin Jira tool
LOW (3)
Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.9 fail to restrict domains the LLM can request to contact upstream which allows an authenticated user to exfiltrate data from an arbitrary server accessible to the victim via performing a prompt injection in the AI plugin's Jira tool.
Published: 2025-04-16T09:14:15.992Z
Updated: 2025-04-16T14:33:01.674Z Reference links |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.