CVE-2025-36530

Mattermost versions 10.9.x <= 10.9.1, 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate file paths during plugin import operations which allows restricted admin users to install unauthorized custom plugins via path traversal in the import functionality, bypassing plugin signature enforcement and marketplace restrictions.

CVSS v3 6.8 MEDIUM

6.8^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://mattermost.com/security-updates

Configurations

No configuration.

History

22 Aug 2025, 18:09

Type	Values Removed	Values Added
Summary		(es) Las versiones de Mattermost 10.9.x <= 10.9.1, 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 no validan correctamente las rutas de los archivos durante las operaciones de importación de complementos, lo que permite que los usuarios administradores restringidos instalen complementos personalizados no autorizados mediante el path traversal en la funcionalidad de importación, eludiendo la aplicación de la firma del complemento y las restricciones del mercado.

21 Aug 2025, 07:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-21 07:15

Updated : 2025-08-22 18:09

NVD link : CVE-2025-36530

Mitre link : CVE-2025-36530

CVE.ORG link : CVE-2025-36530

JSON object : View

Products Affected

No product.

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

6.8 /10