Vulnerability Details CVE-2025-6465
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 10.10.x <= 10.10.0, 10.9.x <= 10.9.3 fail to sanitize file names which allows users with file upload permission to overwrite file attachment thumbnails via path traversal in file streaming APIs.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 25.5%
CVSS Severity
CVSS v3 Score 4.3
References
Products affected by CVE-2025-6465
-
cpe:2.3:a:mattermost:mattermost_server:10.10.0
-
cpe:2.3:a:mattermost:mattermost_server:10.5.0
-
cpe:2.3:a:mattermost:mattermost_server:10.5.1
-
cpe:2.3:a:mattermost:mattermost_server:10.5.2
-
cpe:2.3:a:mattermost:mattermost_server:10.5.3
-
cpe:2.3:a:mattermost:mattermost_server:10.5.4
-
cpe:2.3:a:mattermost:mattermost_server:10.5.5
-
cpe:2.3:a:mattermost:mattermost_server:10.5.6
-
cpe:2.3:a:mattermost:mattermost_server:10.5.7
-
cpe:2.3:a:mattermost:mattermost_server:10.5.8
-
cpe:2.3:a:mattermost:mattermost_server:10.8.0
-
cpe:2.3:a:mattermost:mattermost_server:10.8.1
-
cpe:2.3:a:mattermost:mattermost_server:10.8.2
-
cpe:2.3:a:mattermost:mattermost_server:10.8.3
-
cpe:2.3:a:mattermost:mattermost_server:10.9.0
-
cpe:2.3:a:mattermost:mattermost_server:10.9.1
-
cpe:2.3:a:mattermost:mattermost_server:10.9.2
-
cpe:2.3:a:mattermost:mattermost_server:10.9.3