EUVD-2025-25413

Malicious code in bioql PyPI...

EUVD-2025-30247

Malicious code in bioql PyPI...

GHSA-F72G-52V7-MG3P Mattermost boards plugin fails to restrict download access to files

Mattermost versions 10.5.x = 10.5.8, 9.11.x = 9.11.17 fail to properly validate access controls which allows any authenticated user to download sensitive files via board file download endpoint using UUID enumeration...

Mattermost Fails to Sanitize Path Traversal Sequences

Mattermost versions 10.8.x = 10.8.3, 10.5.x = 10.5.8, 9.11.x = 9.11.17, 10.9.x = 10.9.2 fails to sanitize path traversal sequences in template file destination paths, which allows a system admin to perform path traversal attacks via malicious path components, potentially enabling malicious file...

CVE-2025-53971 Channel and Team Membership APIs inadvertently allow loss of Member privileges.

Mattermost versions 10.5.x = 10.5.8, 9.11.x = 9.11.17 fail to properly validate authorization for team scheme role modifications which allows Team Admins to demote Team Members to Guests via the PUT /api/v4/teams/team-id/members/user-id/schemeRoles API endpoint...

PT-2025-34201 · Mattermost · Mattermost

Name of the Vulnerable Software and Affected Versions: Mattermost versions 10.8.x through 10.8.3 Mattermost versions 10.5.x through 10.5.8 Mattermost versions 9.11.x through 9.11.17 Mattermost versions 10.9.x through 10.9.2 Mattermost versions 10.10.x through 10.10.0 Description: The Mattermost...

Mattermost 安全漏洞

Mattermost is an open source collaboration platform from Mattermost, Inc. in the United States. A security vulnerability exists in Mattermost versions 10.8.3 and prior to 10.8.x, 10.5.8 and prior to 10.5.x, 9.11.17 and prior to 9.11.x, 10.10.0 and prior to 10.10.x, and 10.9.3 and prior to 10.9.x,...

CVE-2025-2424

Mattermost versions 10.5.x = 10.5.1, 9.11.x = 9.11.9 fail to check if a file has been deleted when creating a bookmark which allows an attacker who knows the IDs of deleted files to obtain metadata of the files via bookmark creation...

CVE-2025-1472

Mattermost versions 9.11.x = 9.11.8 fail to properly perform authorization of the Viewer role which allows an attacker with the Viewer role configured with No Access to Reporting to still view team and site statistics...

GHSA-FQRQ-XMXJ-V47X Mattermost Fails to Properly Perform Viewer Role Authorization

Mattermost versions 9.11.x = 9.11.8 fail to properly perform authorization of the Viewer role which allows an attacker with the Viewer role configured with No Access to Reporting to still view team and site statistics...

CVE-2025-1472

Mattermost versions 9.11.x = 9.11.8 fail to properly perform authorization of the Viewer role which allows an attacker with the Viewer role configured with No Access to Reporting to still view team and site statistics...

PT-2025-6788 · Mattermost · Mattermost

Name of the Vulnerable Software and Affected Versions: Mattermost versions 9.11.x through 9.11.6 Description: The issue allows an attacker to infer user IDs and other metadata from deleted direct messages DMs if someone had manually marked DMs as deleted in the database. This is possible because...

PT-2024-33253 · Mattermost · Mattermost

Name of the Vulnerable Software and Affected Versions: Mattermost versions 9.5.x through 9.5.12 Mattermost versions 9.11.x through 9.11.4 Mattermost versions 10.0.x through 10.0.2 Mattermost versions 10.1.x through 10.1.2 Description: The issue allows an attacker to bypass the "Max failed attempt...

CVE-2024-36250 MFA Code Replay

Mattermost versions 9.11.x = 9.11.2, and 9.5.x = 9.5.10 fail to protect the mfa code against replay attacks, which allows an attacker to reuse the MFA code within 30 seconds...

CVE-2024-42000 Unauthorized Access to view channels' details

Mattermost versions 9.10.x = 9.10.2, 9.11.x = 9.11.1, 9.5.x = 9.5.9 and 10.0.x = 10.0.0 fail to properly authorize the requests to /api/v4/channels which allows a User or System Manager, with "Read Groups" permission but with no access for channels to retrieve details about private channels that...

CVE-2024-46872

Mattermost versions 9.10.x = 9.10.2, 9.11.x = 9.11.1, 9.5.x = 9.5.9 fail to sanitize user inputs in the frontend that are used for redirection which allows for a one-click client-side path traversal that is leading to CSRF in Playbooks...

CVE-2024-47003

Mattermost versions 9.11.x = 9.11.0 and 9.5.x = 9.5.8 fail to validate that the message of the permalink post is a string, which allows an attacker to send a non-string value as the message of a permalink post and crash the frontend...

CVE-2024-47003 DoS via non-string message using permalink embed

Mattermost versions 9.11.x = 9.11.0 and 9.5.x = 9.5.8 fail to validate that the message of the permalink post is a string, which allows an attacker to send a non-string value as the message of a permalink post and crash the frontend...

CVE-2021-25220

BIND 9.11.0 - 9.11.36 9.12.0 - 9.16.26 9.17.0 - 9.18.0 BIND Supported Preview Editions: 9.11.4-S1 - 9.11.36-S1 9.16.8-S1 - 9.16.26-S1 Versions of BIND 9 earlier than those shown - back to 9.1.0, including Supported Preview Editions - are also believed to be affected but have not been tested as th...

CVE-2019-6471 A race condition when discarding malformed packets can cause BIND to exit with an assertion failure

A race condition which may occur when discarding malformed packets can result in BIND exiting due to a REQUIRE assertion failure in dispatch.c. Versions affected: BIND 9.11.0 - 9.11.7, 9.12.0 - 9.12.4-P1, 9.14.0 - 9.14.2. Also all releases of the BIND 9.13 development branch and version 9.15.0 of...