VDB

GHSA-fprx-ppqr-8wgf

GHSA-fprx-ppqr-8wgf PUBLISHED CVSS 6.599999904632568 MEDIUM

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to restrict plugin installation on CI test instances with default admin credentials which allows an unauthenticated attacker to achieve remote code execution and exfiltrate sensitive configuration data including AWS and SMTP credentials via uploading a malicious plugin after changing the import directory. Mattermost Advisory ID: MMSA-2025-00528

Risk Scores

CVSS 3.1
6.599999904632568
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L

Timeline

  • Mar 16, 2026 CVE Published
  • Apr 10, 2026 Security Advisory
Open in Interactive Console →
$ Console Community · 100/wk Open console ›