High severityNVD Advisory· Published Sep 19, 2025· Updated Feb 26, 2026
Admin RCE via prepackaged plugins by way of misconfigured imports directory
CVE-2025-9079
Description
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to validate import directory path configuration which allows admin users to execute arbitrary code via malicious plugin upload to prepackaged plugins directory
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost-serverGo | >= 10.8.0, < 10.8.4 | 10.8.4 |
github.com/mattermost/mattermost-serverGo | >= 10.5.0, < 10.5.9 | 10.5.9 |
github.com/mattermost/mattermost-serverGo | >= 9.11.0, < 9.11.18 | 9.11.18 |
github.com/mattermost/mattermost-serverGo | >= 10.10.0, < 10.10.2 | 10.10.2 |
github.com/mattermost/mattermost-serverGo | >= 10.9.0, < 10.9.4 | 10.9.4 |
github.com/mattermost/mattermost/server/v8Go | < 8.0.0-20250707221302-a8fa77f107ef | 8.0.0-20250707221302-a8fa77f107ef |
Affected products
6- ghsa-coords5 versionspkg:golang/github.com/mattermost/mattermost-serverpkg:golang/github.com/mattermost/mattermost/server/v8pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweedpkg:rpm/suse/govulncheck-vulndb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6
>= 10.8.0, < 10.8.4+ 4 more
- (no CPE)range: >= 10.8.0, < 10.8.4
- (no CPE)range: < 8.0.0-20250707221302-a8fa77f107ef
- (no CPE)range: < 0.0.20251023T162509-150000.1.110.1
- (no CPE)range: < 0.0.20250924T192141-1.1
- (no CPE)range: < 0.0.20251023T162509-150000.1.110.1
- Range: 10.8.0
Patches
Vulnerability mechanics
References
10- github.com/advisories/GHSA-qx3f-6vq3-8j8mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-9079ghsaADVISORY
- github.com/mattermost/mattermost/commit/047a2c64071749367fe02d2162f6103a3d31a883ghsaWEB
- github.com/mattermost/mattermost/commit/439464883aa16a329c23cd6274c4cca7e88e238fghsaWEB
- github.com/mattermost/mattermost/commit/4ff68eea0a3f3777032d31a1a82f4b1fb492a1acghsaWEB
- github.com/mattermost/mattermost/commit/96665b9b98a17534fcd515982a2eb26950581e41ghsaWEB
- github.com/mattermost/mattermost/commit/a8fa77f107efe83f09a779f8e67cbecf236b0032ghsaWEB
- github.com/mattermost/mattermost/commit/b38e2eccda182212a8032539658723c7d87e0b7eghsaWEB
- mattermost.com/security-updatesghsaWEB
- pkg.go.dev/vuln/GO-2025-3977ghsaWEB
News mentions
0No linked articles in our index yet.