CVE-2025-6233

Medium CVSS 6.8

Overview

Mattermost versions 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 fail to sanitize input paths of file attachments in the bulk import JSONL file, which allows a system admin to read arbitrary system files via path traversal.

CWE: CWE-22 Published: 2025-07-18T10:15:34.940

Risk analysis

This vulnerability is rated 🟡 MEDIUM.

CVSS: 6.8 (MEDIUM)
Detected tags: path (tag impact: MODERATE)

Recommended actions:

Canonicalize path; block `..` traversal; use allowlists.

Overview

Recommended tools

Tags