CVE-2025-36530 – github.com/mattermost/mattermost-server

Package

Manager: go
Name: github.com/mattermost/mattermost-server
Vulnerable Version: >=10.9.0 <10.9.2 || >=10.8.0 <10.8.4 || >=10.5.0 <10.5.9 || >=9.11.0 <9.11.18

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00052 pctl0.1576

Details

Mattermost Fails to Validate File Paths Mattermost versions 10.9.x <= 10.9.1, 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate file paths during plugin import operations which allows restricted admin users to install unauthorized custom plugins via path traversal in the import functionality, bypassing plugin signature enforcement and marketplace restrictions.

Metadata

Created: 2025-08-21T09:30:21Z
Modified: 2025-08-29T20:47:38Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-gq3r-5833-5532/GHSA-gq3r-5833-5532.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-gq3r-5833-5532
Finding: F063
Auto approve: 1