VDB
CVE-2025-14822
CVE-2025-14822
PUBLISHED
CVSS 3.0999999046325684 LOW
Mattermost versions 11.0.x <= 11.0.4, 10.12.x <= 10.12.2, 10.11.x <= 10.11.6 fail to check WebSocket request field for proper UTF-8 format, which allows attacker to crash Calls plug-in via sending malformed request.
EPSS 0.02% · 7.1th percentile
Risk Scores
CVSS v3.1
3.0999999046325684
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
EPSS Score
0.02%
7.1th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| github.com | mattermost/mattermost-server | 10.11.0, 11.0.0, 11.0.0 |
| mattermost | mattermost_server | 10.11.0, 10.11.0 |
| Mattermost | Mattermost | 11.1.0, 10.12.3, 10.11.7 |
Timeline
- Dec 18, 2025 CVE Published
- Jan 16, 2026 CVE Updated
- Jan 16, 2026 EPSS Score
- Jan 16, 2026 PoC Published
- Jan 19, 2026 EPSS Score
- Jan 22, 2026 EPSS Score
- Jan 25, 2026 EPSS Score
- Jan 28, 2026 EPSS Score
- Jan 30, 2026 EPSS Score
- Feb 2, 2026 EPSS Score
- Feb 5, 2026 EPSS Score
- Feb 8, 2026 EPSS Score
References
- https://mattermost.com/security-updates/ advisory
- https://mattermost.com/security-updates url
- https://nvd.nist.gov/vuln/detail/CVE-2025-14822 advisory
- https://github.com/mattermost/mattermost/commit/4d86263f5430d0eb991fc52ec886cf778cb072e6 url
- https://github.com/mattermost/mattermost/commit/b3d6c0c564c1a79e54e5105d0a8b60fc58a2bdee url
- https://github.com/mattermost/mattermost package
- https://pkg.go.dev/vuln/GO-2026-4325 url