PT-2026-25683 · Mattermost · Mattermost

Daw10

Publicado

2026-02-13

Atualizado

2026-03-27

CVE-2026-2457

CVSS v3.1

4.3

Média

Vetor

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions Mattermost versions 11.3.0 and earlier Mattermost versions 11.2.2 and earlier Mattermost versions 10.11.10 and earlier

Description The software does not properly sanitize client-supplied post metadata. This allows an authenticated attacker to spoof permalink embeds, impersonating other users by sending crafted PUT requests to the post update API endpoint, ''/api/v1/posts/{post id}''. The vulnerable parameter is the post metadata within the PUT request.

Recommendations Update Mattermost to a version later than 11.3.0. Update Mattermost to a version later than 11.2.2. Update Mattermost to a version later than 10.11.10.

Correção

Origin Validation Error

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-346

Identificadores relacionados

BDU:2026-06572

CVE-2026-2457

GHSA-PH22-FW5M-W2Q9

GO-2026-4732

SUSE-SU-2026:1135-1

Produtos afetados

Mattermost

PT-2026-25683 · Mattermost · Mattermost

CVE-2026-2457

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 151