Se1En

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 11.5.0 through 11.5.1 Mattermost versions 10.11.0 through 10.11.13 **Description** An issue exists where the system fails to enforce the `PostEditTimeLimit` on non-message post fields. This allows an authenticated user to modify post file attachments, props, and pin status after the edit window has expired by using the post patch and update API endpoints. **Recommendations** Update Mattermost versions 11.5.0 through 11.5.1 to a version newer than 11.5.1. Update Mattermost versions 10.11.0 through 10.11.13 to a version newer than 10.11.13.

**Name of the Vulnerable Software and Affected Versions** Grafana (affected versions not specified) **Description** A time-of-create-to-time-of-use (TOCTOU) issue allows re-deletion of recently deleted and recreated data sources without authorization. The attack requires specific conditions: admin access to the data source before initial deletion, all steps completed within 30 seconds on the same Grafana pod, recreation of the data source by another user, the new data source having the same UID as the previous one, and the attacker not being an admin of the new data source. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** versions prior to 2026-21721 **Description** The dashboard permissions API does not verify the target dashboard scope, only checking the `dashboards.permissions:*` action. This allows a user with permission management rights on one dashboard to read and modify permissions on other dashboards, resulting in a privilege escalation. The API endpoint in question is the dashboard permissions API. The vulnerable action is `dashboards.permissions:*`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.