VYPR
Get started
← All advisories
Moderate severityOSV Advisory· Published Dec 24, 2025· Updated Dec 24, 2025

Mattermost Jira plugin crafted action leaks Jira issue details

CVE-2025-64641

Description

Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fail to verify that post actions invoking /share-issue-publicly were created by the Jira plugin which allowed a malicious Mattermost user to exfiltrate Jira tickets when victim users interacted with affected posts

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/mattermost/mattermost/server/v8Go
< 8.0.0-20251121122154-b57c297c6d78.0.0-20251121122154-b57c297c6d7
github.com/mattermost/mattermost-serverGo
>= 10.11.0, < 10.11.810.11.8
github.com/mattermost/mattermost-serverGo
>= 10.12.0, < 10.12.410.12.4
github.com/mattermost/mattermost-serverGo
>= 11.0.0, < 11.0.611.0.6
github.com/mattermost/mattermost-serverGo
>= 11.1.0, < 11.1.111.1.1

Affected products

1

Patches

1
b57c297c6d7a

Update Jira prepackaged (#34551)

https://github.com/mattermost/mattermostMaria A NunezNov 21, 2025via ghsa
commit
1 file changed · +1 1
  • server/Makefile+1 1 modified
    @@ -155,7 +155,7 @@ PLUGIN_PACKAGES ?= $(PLUGIN_PACKAGES:)
 PLUGIN_PACKAGES += mattermost-plugin-calls-v1.11.0
 PLUGIN_PACKAGES += mattermost-plugin-github-v2.5.0
 PLUGIN_PACKAGES += mattermost-plugin-gitlab-v1.11.0
-PLUGIN_PACKAGES += mattermost-plugin-jira-v4.4.0
+PLUGIN_PACKAGES += mattermost-plugin-jira-v4.4.1
 PLUGIN_PACKAGES += mattermost-plugin-playbooks-v2.6.0
 PLUGIN_PACKAGES += mattermost-plugin-servicenow-v2.4.0
 PLUGIN_PACKAGES += mattermost-plugin-zoom-v1.10.0

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.