Mattermost Server 10.8.0
Approved changes feed: RSS · Atom
cpe:2.3:a:mattermost:mattermost_server:10.8.0:-:*:*:*:*:*:*
part: a version: 10.8.0 update: -
| Vendor | Mattermost (ed0788ef-af60-58f1-b6aa-68289d9946dc) |
|---|---|
| Product | Mattermost Server (657bc445-594e-5ca1-a676-4f18538f1c02) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from NVD CPE 2.0 feed |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
pkg:github/mattermost/mattermost-server |
purl2cpe | 2026-06-01 10:18:19.891844 |
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2025-4981 |
vulnerable | 2026-06-03 15:01:49.121555 |
Path Traversal Leading to RCE by Any Authenticated Mattermost User
CRITICAL (9.9)
Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to sanitize filenames in the archive extractor which allows authenticated users to write files to arbitrary locations on the filesystem via uploading archives with path traversal sequences in filenames, potentially leading to remote code execution. The vulnerability impacts instances where file uploads and document search by content is enabled (FileSettings.EnableFileAttachments = true and FileSettings.ExtractContent = true). These configuration settings are enabled by default.
Published: 2025-06-20T10:27:13.471Z
Updated: 2025-06-20T13:10:32.981Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-47871 |
vulnerable | 2026-06-03 15:01:33.506546 |
Mattermost Playbooks exposes private channel metadata to unauthorized users via run metadata API
MEDIUM (4.3)
Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly validate channel membership when retrieving playbook run metadata, allowing authenticated users who are playbook members but not channel members to access sensitive information about linked private channels including channel name, display name, and participant count through the run metadata API endpoint.
Published: 2025-06-30T16:51:13.979Z
Updated: 2025-06-30T20:48:41.938Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-46702 |
vulnerable | 2026-06-03 15:01:27.836802 |
Mattermost Playbooks allows privilege escalation through improper access control in playbook run participant management
MEDIUM (5.4)
Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly enforce channel member management permissions when adding participants to playbook runs. This allows authenticated users with member-level permissions to bypass system admin restrictions and add or remove users to/from private channels via the playbook run participants feature, even when the 'Manage Members' permission has been explicitly removed. This can lead to unauthorized access to sensitive channel content and allow guest users to gain channel management privileges.
Published: 2025-06-30T16:51:13.440Z
Updated: 2025-06-30T20:49:08.152Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-3228 |
vulnerable | 2026-06-03 15:01:04.061634 |
Unauthorized Guest user access to Playbook
MEDIUM (4.3)
Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly retrieve requestorInfo from playbooks handler for guest users which allows an attacker access to the playbook run.
Published: 2025-06-20T14:31:49.162Z
Updated: 2025-06-23T20:45:21.017Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-3227 |
vulnerable | 2026-06-03 15:01:04.059178 |
Unauthorized channel member management through playbook runs
MEDIUM (4.3)
Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly enforce channel member management permissions in playbook runs, allowing authenticated users without the 'Manage Channel Members' permission to add or remove users from public and private channels by manipulating playbook run participants when the run is linked to a channel.
Published: 2025-06-20T14:31:48.644Z
Updated: 2025-06-23T20:44:50.189Z Reference links |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.