CVE-2025-36530

Summary

Mattermost versions 10.9.x <= 10.9.1, 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate file paths during plugin import operations which allows restricted admin users to install unauthorized custom plugins via path traversal in the import functionality, bypassing plugin signature enforcement and marketplace restrictions.

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost10.9.0 <= 10.9.1affected
MattermostMattermost10.8.0 <= 10.8.3affected
MattermostMattermost10.5.0 <= 10.5.8affected
MattermostMattermost9.11.0 <= 9.11.17affected
MattermostMattermost10.10.0unaffected
MattermostMattermost10.9.2unaffected
MattermostMattermost10.8.4unaffected
MattermostMattermost10.5.9unaffected
MattermostMattermost9.11.18unaffected

Weaknesses

  • CWE-22: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References