cvedb.io
CVE-2025-36530
MEDIUM · CVSS 6.8
EPSS exploitation probability: 0%
Published 2025-08-21T07:15:29.550 · Last modified 2026-06-17T09:14:46.477

Summary

Mattermost versions 10.9.x <= 10.9.1, 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate file paths during plugin import operations which allows restricted admin users to install unauthorized custom plugins via path traversal in the import functionality, bypassing plugin signature enforcement and marketplace restrictions.

Affected products

mattermost — mattermost_server

Does this affect you?

Add your gear to cvedb and we'll alert you only when mattermost ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.