CVE-2025-13352

LOW

Mattermost <10.11.7 - RCE

Title source: llm

Description

Mattermost versions 10.11.x <= 10.11.6 and Mattermost GitHub plugin versions <=2.4.0 fail to validate plugin bot identity in reaction forwarding which allows attackers to hijack the GitHub reaction feature to make users add reactions to arbitrary GitHub objects via crafted notification posts.

References (1)

[Vendor Advisory] https://mattermost.com/security-updates

Scores

CVSS v3 3.0

EPSS 0.0008

EPSS Percentile 24.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-1287

Status published

Products (4)

mattermost/mattermost 0 - 10.11.7-0.20251106103514-3b05384dd014Go

mattermost/mattermost 10.11.0-rc1 - 10.11.7-0.20251106103514-3b05384dd014Go

mattermost/mattermost-plugin-github 0 - 1.0.1-0.20250829075715-0deffcfc6beeGo

mattermost/mattermost_server 10.11.0 - 10.11.7

Published Dec 17, 2025

Tracked Since Feb 18, 2026