Home > Vulnerability Database > CVE-2025-36530

Mend.io Vulnerability Database

CVE-2025-36530

Good to know:

Date: August 21, 2025

Mattermost versions 10.9.x <= 10.9.1, 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate file paths during plugin import operations which allows restricted admin users to install unauthorized custom plugins via path traversal in the import functionality, bypassing plugin signature enforcement and marketplace restrictions.

Severity Score

6.8

Related Resources (6)

Url: https://github.com/advisories/GHSA-gq3r-5833-5532

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-36530

Url: https://github.com/mattermost/mattermost

Url: https://pkg.go.dev/vuln/GO-2025-3901

Url: https://mattermost.com/security-updates

Url: https://www.mend.io/vulnerability-database/CVE-2025-36530

Severity Score

6.8

Weakness Type (CWE)

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22

Top Fix

Upgrade Version

Upgrade to version github.com/mattermost/mattermost - v9.11.18;github.com/mattermost/mattermost - v10.5.9;github.com/mattermost/mattermost - v10.8.4;github.com/mattermost/mattermost - v10.9.2;github.com/mattermost/mattermost-server - v10.9.2;github.com/mattermost/mattermost-server - v10.8.4;github.com/mattermost/mattermost-server - v10.5.9;github.com/mattermost/mattermost-server - v9.11.18;github.com/mattermost/mattermost-server - v9.11.18+incompatible

Learn More

CVSS v3.1

Base Score:	6.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	HIGH
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-36530

Good to know:

Date: August 21, 2025

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?