VDB
GHSA-fprx-ppqr-8wgf
GHSA-fprx-ppqr-8wgf
PUBLISHED
CVSS 6.599999904632568 MEDIUM
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to restrict plugin installation on CI test instances with default admin credentials which allows an unauthenticated attacker to achieve remote code execution and exfiltrate sensitive configuration data including AWS and SMTP credentials via uploading a malicious plugin after changing the import directory. Mattermost Advisory ID: MMSA-2025-00528
Risk Scores
CVSS 3.1
6.599999904632568
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L
Timeline
- Mar 16, 2026 CVE Published
- Apr 10, 2026 Security Advisory