Detections
Analytics

CVE-2025-36530

medium

Description

Mattermost versions 10.9.x <= 10.9.1, 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate file paths during plugin import operations which allows restricted admin users to install unauthorized custom plugins via path traversal in the import functionality, bypassing plugin signature enforcement and marketplace restrictions.

References

https://mattermost.com/security-updates

Details

Source: Mitre, NVD

Published: 2025-08-21

Updated: 2025-08-22

Risk Information

CVSS v2

Base Score: 6.1

Vector: CVSS2#AV:N/AC:L/Au:M/C:C/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 6.8

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

Severity: Medium

EPSS

EPSS: 0.00039