CVE-2025-36530

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-36530
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-36530.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-36530
Aliases
Published
2025-08-21T07:15:29.550Z
Modified
2026-03-09T23:50:56.485688Z
Severity
  • 4.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
[none]
Details

Mattermost versions 10.9.x <= 10.9.1, 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate file paths during plugin import operations which allows restricted admin users to install unauthorized custom plugins via path traversal in the import functionality, bypassing plugin signature enforcement and marketplace restrictions.

References

Affected packages

Git / github.com/mattermost/mattermost-server

Affected ranges

Type
GIT
Repo
https://github.com/mattermost/mattermost-server
Events
Introduced
0bc2ddd42375a75ab14e63f038165150d4f07659
Fixed
11c36f4d1e44c36a85aa682becaa7519f63761cf
Introduced
58bd34fd34cbd7d3da777d627b6cffdf8a532930
Fixed
c602a4a78e1f60b9a97ee5bce509ecad4177340c
Introduced
bb105f3a2785636ad53b2d0bf4027900d41f6a67
Fixed
6880f9b5908f20c6c4db1456d3a27603af01dd72
Introduced
14775836a78c8257de08fff229d364755346eff9
Fixed
9dd0b3943e5547e3386d47e84aa18d3c6bac84cf
Database specific 
{
    "versions": [
        {
            "introduced": "9.11.0"
        },
        {
            "fixed": "9.11.18"
        },
        {
            "introduced": "10.5.0"
        },
        {
            "fixed": "10.5.9"
        },
        {
            "introduced": "10.8.0"
        },
        {
            "fixed": "10.8.4"
        },
        {
            "introduced": "10.9.0"
        },
        {
            "fixed": "10.9.2"
        }
    ]
}

Affected versions

@mattermost/client@10.*
@mattermost/client@10.5.0
@mattermost/client@10.8.0
@mattermost/client@9.*
@mattermost/client@9.11.0
@mattermost/types@10.*
@mattermost/types@10.5.0
@mattermost/types@10.8.0
@mattermost/types@9.*
@mattermost/types@9.11.0
mattermost-redux@10.*
mattermost-redux@10.8.0
v10.*
v10.5.0
v10.5.0-rc6
v10.5.1
v10.5.1-rc1
v10.5.1-rc2
v10.5.2
v10.5.3
v10.5.3-rc1
v10.5.4
v10.5.4-rc1
v10.5.4-rc2
v10.5.5
v10.5.5-rc1
v10.5.6
v10.5.6-rc1
v10.5.7
v10.5.8
v10.5.8-rc1
v10.5.9-rc1
v10.5.9-rc2
v10.5.9-rc3
v10.5.9-rc4
v10.8.0
v10.8.0-rc3
v10.8.1
v10.8.2
v10.8.3
v10.8.4-rc1
v10.8.4-rc2
v10.8.4-rc3
v10.8.4-rc4
v10.9.0
v10.9.0-rc4
v10.9.1
v9.*
v9.11.0
v9.11.0-rc3
v9.11.1
v9.11.1-rc1
v9.11.10
v9.11.10-rc1
v9.11.11
v9.11.11-rc1
v9.11.12
v9.11.12-rc1
v9.11.13
v9.11.13-rc1
v9.11.14
v9.11.15
v9.11.16
v9.11.16-rc1
v9.11.17
v9.11.17-rc1
v9.11.18-rc1
v9.11.18-rc2
v9.11.18-rc3
v9.11.18-rc4
v9.11.2
v9.11.2-rc1
v9.11.2-rc2
v9.11.3
v9.11.3-rc1
v9.11.3-rc2
v9.11.4
v9.11.4-rc1
v9.11.5
v9.11.5-rc1
v9.11.6
v9.11.6-rc1
v9.11.6-rc2
v9.11.7
v9.11.7-rc1
v9.11.7-rc2
v9.11.7-rc3
v9.11.8
v9.11.9
v9.11.9-rc1
v9.11.9-rc2

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-36530.json"