Low severityNVD Advisory· Published Aug 21, 2025· Updated Aug 21, 2025
AI plugin APIs can be triggered using post actions
CVE-2025-47700
Description
Mattermost Server versions 10.5.x <= 10.5.9 utilizing the Agents plugin fail to reject empty request bodies which allows users to trick users into clicking malicious links via post actions
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost-serverGo | >= 10.5.0, < 10.5.10 | 10.5.10 |
github.com/mattermost/mattermost/server/v8Go | < 8.0.0-20250814075248-83a37a861d3c | 8.0.0-20250814075248-83a37a861d3c |
Affected products
3- ghsa-coords2 versionspkg:golang/github.com/mattermost/mattermost-serverpkg:golang/github.com/mattermost/mattermost/server/v8
>= 10.5.0, < 10.5.10+ 1 more
- (no CPE)range: >= 10.5.0, < 10.5.10
- (no CPE)range: < 8.0.0-20250814075248-83a37a861d3c
- Range: 10.5.0
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-vqwh-5jhh-vc9pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-47700ghsaADVISORY
- mattermost.com/security-updatesghsaWEB
- pkg.go.dev/vuln/GO-2025-3906ghsaWEB
News mentions
0No linked articles in our index yet.