| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2025-10545 | Guest user can add unauthorized team users to private channels | Mattermost | Mattermost | Low | 3.1 | 2025-10-16 08:24:26 | Deep Dive |
| CVE-2025-58075 | Arbitrary Mattermost Team can be joined by manipulating the SAML RelayState | Mattermost | Mattermost | High | 8.1 | 2025-10-16 08:20:07 | Deep Dive |
| CVE-2025-54499 | Insecure string comparison enables timing attacks | Mattermost | Mattermost | Low | 3.1 | 2025-10-16 08:17:21 | Deep Dive |
| CVE-2025-41443 | Guest user can discover active public channels | Mattermost | Mattermost | Medium | 4.3 | 2025-10-16 08:10:41 | Deep Dive |
| CVE-2025-58084 | Mattermost Desktop App crashes when clicking on malformed external URL | Mattermost | Mattermost | Low | 3.5 | 2025-10-13 19:57:24 | Deep Dive |
| CVE-2025-9081 | IDOR in board file download allows any user to download any file by UUID | Mattermost | Mattermost | Low | 3.1 | 2025-09-19 19:36:15 | Deep Dive |
| CVE-2025-9079 | Admin RCE via prepackaged plugins by way of misconfigured imports directory | Mattermost | Mattermost | High | 8.0 | 2025-09-19 19:22:00 | Deep Dive |
| CVE-2025-9072 | One-Click Mattermost Account Takeover via Poisoned RelayState SAML Parameter | Mattermost | Mattermost | High | 7.6 | 2025-09-15 10:28:17 | Deep Dive |
| CVE-2025-9084 | Open redirect in OAuth login | Mattermost | Mattermost | Low | 3.1 | 2025-09-15 10:22:30 | Deep Dive |
| CVE-2025-9078 | Weak cache keys lead to post IDOR and link preview poisoning | Mattermost | Mattermost | Medium | 4.3 | 2025-09-15 10:10:07 | Deep Dive |
| CVE-2025-9076 | Mattermost Server exposes sensitive user credentials during shared channel membership synchronization | Mattermost | Mattermost | Medium | 6.5 | 2025-09-15 10:06:15 | Deep Dive |
| CVE-2025-6465 | Path traversal in image upload with preview overwrite | Mattermost | Mattermost | Medium | 4.3 | 2025-08-21 17:01:43 | Deep Dive |
| CVE-2025-8402 | Nil pointer dereference in bulk import crashes server | Mattermost | Mattermost | Medium | 4.9 | 2025-08-21 17:01:43 | Deep Dive |
| CVE-2025-47870 | Team invite ID leaked to team admin with no member invite privileges | Mattermost | Mattermost | Medium | 4.3 | 2025-08-21 08:02:45 | Deep Dive |
| CVE-2025-49222 | Mattermost Shared Channel Upload Type Validation Bypass | Mattermost | Mattermost | Medium | 6.8 | 2025-08-21 07:59:45 | Deep Dive |
| CVE-2025-8023 | Path Traversal in Template Upload Allows Uploading Files Outside Target Directory | Mattermost | Mattermost | Medium | 6.8 | 2025-08-21 07:51:37 | Deep Dive |
| CVE-2025-53971 | Channel and Team Membership APIs inadvertently allow loss of Member privileges. | Mattermost | Mattermost | Low | 3.8 | 2025-08-21 07:31:02 | Deep Dive |
| CVE-2025-47700 | AI plugin APIs can be triggered using post actions | Mattermost | Mattermost | Low | 3.5 | 2025-08-21 07:28:37 | Deep Dive |
| CVE-2025-49810 | Thread summarization allows persistent access to channel | Mattermost | Mattermost | Low | 3.5 | 2025-08-21 07:15:28 | Deep Dive |
| CVE-2025-36530 | Import Path Traversal Enables Unauthorized Unsigned Plugin Installation | Mattermost | Mattermost | Medium | 6.8 | 2025-08-21 07:11:43 | Deep Dive |