CVE-2025-13523

CVE-2025-13523 affects Mattermost Confluence plugin versions prior to 1.7.0. The root cause is improper escaping of user-controlled display names during HTML template rendering. This allows authenticated Confluence users with malicious display names to trigger arbitrary JavaScript execution in a ...

SUSE CVE-2025-54525

Mattermost Confluence Plugin version 1.5.0 fails to handle unexpected request body which allows attackers to crash the plugin via constant hit to create channel subscription endpoint with an invalid request body...

CVE-2025-54458

Mattermost Confluence Plugin version 1.5.0 fails to check the access of the user to the Confluence space which allows attackers to create a subscription for a Confluence space the user does not have access to via the create subscription endpoint...

CVE-2025-53857 Lack of Authorization on Get Channel Subscriptions for Autocomplete in Mattermost Confluence Plugin

Mattermost Confluence Plugin version 1.5.0 fails to check the access of the user to the channel which allows attackers to get channel subscription details without proper access to the channel via API call to the GET autocomplete/GetChannelSubscriptions endpoint...