5.1
CVE-2025-2597 - Reflected Cross-Site Scripting (XSS) vulnerability in ITIUM 6050
Reflected Cross-Site Scripting (XSS) in ITIUM 6050 version 5.5.5.2-b3526 from Impact Technologies. This vulnerability could allow an attacker to execute malicious Javascript code via GET and POST requests to the β/index.phpβ endpoint and injecting code into the βid_session.
7.5
CVE-2025-25068 - Bypassing MFA Enforcement on Plugin Endpoints
Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, 10.5.x <= 10.5.0 fail to enforce MFA on plugin endpoints, which allows authenticated attackers to bypass MFA protections via API requests to plugin-specific routes.
4.3
CVE-2025-24920 - Unauthorized Bookmark Creation and Modification in Archived Channels
Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, 10.5.x <= 10.5.0Β fail to restrict bookmark creation and updates in archived channels, which allows authenticated users created or update bookmarked in archived channels
4.3
CVE-2025-30179 - MFA Enforcement Bypass in Search APIs
Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to enforce MFA on certain search APIs, which allows authenticated attackers to bypass MFA protections via user search, channel search, or team search queries.
4.3
CVE-2025-25274 - Unauthorized Command Execution in Archived Channels
Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8Β fail to restrict command execution in archived channels, which allows authenticated users to run commands in archived channels.
5.4
CVE-2025-27933 - Unauthorized Private-to-Public Channel Conversion
Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to fail to enforce channel conversion restrictions, which allows members with permission to convert public channels to private ones to also convert private ones to public
3.3
CVE-2025-27715 - Auto-Enrollment of Team Admins into Private Channels without explicit consent
Mattermost versions 9.11.x <= 9.11.8 fail to prompt for explicit approval before adding a team admin to a private channel, which team admins to joining private channels via crafted permalink links without explicit consent from them.
2.3
CVE-2025-2584 - WebAssembly wabt binary-reader-interp.cc GetReturnCallDropKeepCount heap-based overflow
A vulnerability was found in WebAssembly wabt 1.0.36. It has been declared as critical. This vulnerability affects the function BinaryReaderInterp::GetReturnCallDropKeepCount of the file wabt/src/interp/binary-reader-interp.cc. The manipulation leads to heap-based buffer overflow. The attack can beβ¦
5.3
CVE-2024-13903 - quickjs-ng QuickJS qjs quickjs.c JS_GetRuntime stack-based overflow
A vulnerability was found in quickjs-ng QuickJS up to 0.8.0. It has been declared as problematic. Affected by this vulnerability is the function JS_GetRuntime of the file quickjs.c of the component qjs. The manipulation leads to stack-based buffer overflow. The attack can be launched remotely. Upgrβ¦
5.1
CVE-2025-2583 - SimpleMachines SMF ManageNews.php cross site scripting
A vulnerability was found in SimpleMachines SMF 2.1.4. It has been classified as problematic. This affects an unknown part of the file ManageNews.php. The manipulation of the argument subject/message leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has beenβ¦