CVE-2025-47700

Summary

Mattermost Server versions 10.5.x <= 10.5.9 utilizing the Agents plugin fail to reject empty request bodies which allows users to trick users into clicking malicious links via post actions

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost10.10.0unaffected
MattermostMattermost10.5.9unaffected
MattermostMattermost10.5.0 <= 10.5.8affected

Weaknesses

  • CWE-918: CWE-918: Server-Side Request Forgery (SSRF)

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References