CVE-2025-13352

LOW

Mattermost <10.11.7 - RCE

Title source: llm

Description

Mattermost versions 10.11.x <= 10.11.6 and Mattermost GitHub plugin versions <=2.4.0 fail to validate plugin bot identity in reaction forwarding which allows attackers to hijack the GitHub reaction feature to make users add reactions to arbitrary GitHub objects via crafted notification posts.

References (1)

[Vendor Advisory] https://mattermost.com/security-updates

Scores

CVSS v3 3.0

EPSS 0.0006

EPSS Percentile 19.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N

Classification

CWE

CWE-1287

Status published

Affected Products (4)

mattermost/mattermost_server < 10.11.7

mattermost/mattermost < 10.11.7-0.20251106103514-3b05384dd014Go

mattermost/mattermost-plugin-github < 1.0.1-0.20250829075715-0deffcfc6beeGo

Timeline

Published Dec 17, 2025

Tracked Since Feb 18, 2026