cbcvebase.
CVE-2025-36530
published 2025-08-21

CVE-2025-36530: Mattermost versions 10.9.x <= 10.9.1, 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate file paths during plugin import…

medium4.9CVSS 3.1
AVNACLPRHUINSUCNIHAN
Mattermost versions 10.9.x <= 10.9.1, 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate file paths during plugin import operations which allows restricted admin users to install unauthorized custom plugins via path traversal in the import functionality, bypassing plugin signature enforcement and marketplace restrictions.

Affected

19 ranges
VendorProductVersion rangeFixed in
github.commattermost_mattermost-server>= 10.5.0 < 10.5.910.5.9
github.commattermost_mattermost-server>= 10.5.0+incompatible < 10.5.9+incompatible10.5.9+incompatible
github.commattermost_mattermost-server>= 10.8.0 < 10.8.410.8.4
github.commattermost_mattermost-server>= 10.8.0+incompatible < 10.8.4+incompatible10.8.4+incompatible
github.commattermost_mattermost-server>= 10.9.0 < 10.9.210.9.2
github.commattermost_mattermost-server>= 10.9.0+incompatible < 10.9.2+incompatible10.9.2+incompatible
github.commattermost_mattermost-server>= 9.11.0 < 9.11.189.11.18
github.commattermost_mattermost-server>= 9.11.0+incompatible < 9.11.18+incompatible9.11.18+incompatible
github.commattermost_mattermost-server_v50 – 5.11.1
github.commattermost_mattermost-server_v60 – 6.7.2
github.commattermost_mattermost_server_v8>= 0 < 8.0.0-20250619095651-9dd0b3943e558.0.0-20250619095651-9dd0b3943e55
mattermostmattermost10.5.0 – 10.5.8
mattermostmattermost10.8.0 – 10.8.3
mattermostmattermost10.9.0 – 10.9.1
mattermostmattermost9.11.0 – 9.11.17
mattermostmattermost_server>= 10.5.0 < 10.5.910.5.9
mattermostmattermost_server>= 10.8.0 < 10.8.410.8.4
mattermostmattermost_server>= 10.9.0 < 10.9.210.9.2
mattermostmattermost_server>= 9.11.0 < 9.11.189.11.18