CVE-2026-6957

Name of the Vulnerable Software and Affected Versions Mattermost Plugins versions prior to 1.1.6

Description Insufficient sanitization of filenames received from federated peers when constructing export destination paths allows a remote administrator of a federated server to perform a path traversal attack. By delivering a malicious filename through the shared-channel attachment sync protocol, an attacker can write files to arbitrary locations within the target server's filestore.

Recommendations Update to a version later than 1.1.5.