CVE-2025-49222

Name of the Vulnerable Software and Affected Versions: Mattermost versions 10.8.x through 10.8.3 Mattermost versions 10.5.x through 10.5.8 Mattermost versions 9.11.x through 9.11.17 Mattermost versions 10.9.x through 10.9.2 Mattermost versions 10.10.x through 10.10.0

Description: The Mattermost application fails to validate upload types in remote cluster upload sessions. This allows a system administrator to upload non-attachment file types via shared channels, potentially placing them in arbitrary filesystem directories.

Recommendations: Mattermost versions 10.8.x through 10.8.3: At the moment, there is no information about a newer version that contains a fix for this vulnerability. Mattermost versions 10.5.x through 10.5.8: At the moment, there is no information about a newer version that contains a fix for this vulnerability. Mattermost versions 9.11.x through 9.11.17: At the moment, there is no information about a newer version that contains a fix for this vulnerability. Mattermost versions 10.9.x through 10.9.2: At the moment, there is no information about a newer version that contains a fix for this vulnerability. Mattermost versions 10.10.x through 10.10.0: At the moment, there is no information about a newer version that contains a fix for this vulnerability.