CVE-2025-9079

Published Sep 19, 2025

Last updated 6 months ago

CVSS high 8.0

Overview

Description
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to validate import directory path configuration which allows admin users to execute arbitrary code via malicious plugin upload to prepackaged plugins directory
Source
responsibledisclosure@mattermost.com
NVD status
Analyzed
Products
mattermost_server

Risk scores

CVSS 3.1

Type
Primary
Base score
7.2
Impact score
5.9
Exploitability score
1.2
Vector string
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

responsibledisclosure@mattermost.com
CWE-22

Social media

Hype score
Not currently trending

  1. CVE-2025-9079: Path Traversal in Mattermost, 8.0 rating❗️ A vulnerability in some versions of Mattermost allows attackers to execute arbitrary code via a malicious plugin. Search at https://t.co/NGF6IkUksf: 👉 Link: https://t.co/0qlP1CZdnN 👉 Dork: http.title:"mattermost"

    @topboykrepta

    5 Oct 2025

    48 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2025-9079: Path Traversal in Mattermost, 8.0 rating❗️ A vulnerability in some versions of Mattermost allows attackers to execute arbitrary code via a malicious plugin. Search at https://t.co/hv7QKSqxTR: 👉 Link: https://t.co/JSoNGjAlqw https://t.co/6BAtBybQ2G

    @Netlas_io

    22 Sept 2025

    3313 Impressions

    13 Retweets

    36 Likes

    7 Bookmarks

    1 Reply

    0 Quotes

  3. CVE-2025-9079 Arbitrary Code Execution via Malicious Plugin Upload in Mattermost Versions Below 10.10.2 https://t.co/ReVaHkCf4a

    @VulmonFeeds

    19 Sept 2025

    13 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Mattermost versions 10.11.x <= 10.11.9 fail to enforce invite permissions when updating team settings, which allows team administrators without proper permissions to bypass restrictions and add users to their team via API requests. Mattermost Advisory ID: MMSA-2025-00561CVE-2025-14573
  2. Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate team membership when processing channel mentions which allows authenticated users to determine the existence of teams and their URL names via posting channel shortlinks and observing the channel_mentions property in the API response. Mattermost Advisory ID: MMSA-2025-00563CVE-2025-14350
  3. Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to sanitize sensitive data in WebSocket messages which allows authenticated users to exfiltrate password hashes and MFA secrets via profile nickname updates or email verification events. Mattermost Advisory ID: MMSA-2025-00560CVE-2025-13821
  4. Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate login method restrictions which allows an authenticated user to bypass SSO-only login requirements via userID-based authentication. Mattermost Advisory ID: MMSA-2025-00548CVE-2026-0999
  5. Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 and Mattermost Plugin Zoom versions <=1.11.0 fail to validate user identity and post ownership in the {{/api/v1/askPMI}} endpoint which allows unauthorized users to start Zoom meetings as any user and overwrite arbitrary posts via direct API calls with manipulated user IDs and post data.. Mattermost Advisory ID: MMSA-2025-00534CVE-2026-0998

References

Sources include official advisories and independent security research.