Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2, 10.10.x <= 10.10.0 fail to validate upload types in remote cluster upload sessions which allows a system admin to upload non-attachment file types via shared channels that could potentially be placed in arbitrary filesystem directories.
References
| Link | Resource |
|---|---|
| https://mattermost.com/security-updates | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
17 Jun 2026, 09:30
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:* cpe:2.3:a:mattermost:mattermost_server:10.10.0:-:*:*:*:*:*:* |
|
| First Time |
Mattermost mattermost Server
Mattermost |
|
| References | () https://mattermost.com/security-updates - Vendor Advisory |
22 Aug 2025, 18:09
| Type | Values Removed | Values Added |
|---|---|---|
| Summary |
|
21 Aug 2025, 08:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2025-08-21 08:15
Updated : 2026-06-17 09:30
NVD link : CVE-2025-49222
Mitre link : CVE-2025-49222
CVE.ORG link : CVE-2025-49222
JSON object : View
Products Affected
mattermost
- mattermost_server
CWE
CWE-434
Unrestricted Upload of File with Dangerous Type
