CVE-2025-53631 flaskBlog XSS Vulnerability in postContent

flaskBlog is a blog app built with Flask. In versions 2.8.1 and prior, improper sanitization of postContent when submitting POST requests to /createpost leads to arbitrary JavaScript execution XSS on all pages the post is reflected on including /, /post/ID, /admin/posts, and /user/ID of the user...

PT-2025-33302 · Flaskblog · Flaskblog

Name of the Vulnerable Software and Affected Versions: flaskBlog versions prior to 2.8.1 Description: flaskBlog is a blog application built with Flask. Improper sanitization of the postContent parameter when submitting POST requests to the /createpost API endpoint leads to arbitrary JavaScript...

CVE-2025-6226 IDOR in CreatePost API allows for timeboxed message disclosure

Mattermost versions 10.5.x = 10.5.6, 10.8.x = 10.8.1, 10.7.x = 10.7.3, 9.11.x = 9.11.16 fail to verify authorization when retrieving cached posts by PendingPostID which allows an authenticated user to read posts in private channels they don't have access to via guessing the PendingPostID of...

CVE-2025-6226

Mattermost Server contains an IDOR-like flaw (CVE-2025-6226) where authentication is not verified when retrieving cached posts by PendingPostID. Affected versions include 9.11.x <= 9.11.16, 10.5.x <= 10.5.6, 10.7.x <= 10.7.3, and 10.8.x

CVE-2025-6226 IDOR in CreatePost API allows for timeboxed message disclosure

Mattermost versions 10.5.x = 10.5.6, 10.8.x = 10.8.1, 10.7.x = 10.7.3, 9.11.x = 9.11.16 fail to verify authorization when retrieving cached posts by PendingPostID which allows an authenticated user to read posts in private channels they don't have access to via guessing the PendingPostID of...

Improper Access Control

github.com/mattermost/mattermost-server is vulnerable to Improper Access Control. The vulnerability is due to the createPost function not preventing users from specifying a RemoteId for their posts, allowing attackers to create posts with user-defined post IDs. Attackers can use this to cause...

CVE-2024-39361 Creating posts with user-defined IDs permitted in CreatePost API

Mattermost versions 9.8.0, 9.7.x = 9.7.4, 9.6.x = 9.6.2 and 9.5.x = 9.5.5 fail to prevent users from specifying a RemoteId for their posts which allows an attacker to specify both a remoteId and the post ID, resulting in creating a post with a user-defined post ID. This can cause some broken...

CVE-2024-39361

CVE-2024-39361 affects Mattermost 9.8.0, 9.7.x up to 9.7.4, 9.6.x up to 9.6.2, and 9.5.x up to 9.5.5. The issue is that the CreatePost API does not prevent users from supplying a RemoteId for posts, allowing an attacker to specify both a remoteId and the post ID and thereby create posts with user...

Information Disclosure

Mattermost is vulnerable to Information Disclosure. The vulnerability is due to a flaw that allows an attacker to request a preview of an existing message while creating a new message using the createPost API call. The attacker can exploit this vulnerability to disclose contents of the linked...

Mattermost vulnerable to information disclosure

Mattermost allows an attacker to request a preview of an existing message when creating a new message via the createPost API call, disclosing the contents of the linked message...

GHSA-3WQ5-3F56-V5XC Mattermost vulnerable to information disclosure

Mattermost allows an attacker to request a preview of an existing message when creating a new message via the createPost API call, disclosing the contents of the linked message...

Design/Logic Flaw

Mattermost allows an attacker to request a preview of an existing message when creating a new message via the createPost API call, disclosing the contents of the linked message...

CVE-2023-1777 Information disclosure in linked message previews

Mattermost allows an attacker to request a preview of an existing message when creating a new message via the createPost API call, disclosing the contents of the linked message...

CVE-2023-1777

Mattermost contains an information disclosure vulnerability where an attacker can request a preview of a linked message during createPost, causing disclosure of the linked message contents. The provided documents describe the weakness and its impact but do not specify affected versions or a remed...

Mattermost 信息泄露漏洞

Mattermost is an open source collaboration platform from US-based Mattermost. Mattermost suffers from a message disclosure vulnerability that stems from allowing an attacker to disclose the contents of linked messages by requesting a preview of an existing message when creating a new message via ...

PT-2023-17237 · Unknown · Mattermost

Name of the Vulnerable Software and Affected Versions: Mattermost affected versions not specified Description: The issue allows an attacker to request a preview of an existing message when creating a new message via the "createPost API call", disclosing the contents of the linked message...