CVE-2025-24490

CRITICAL LAB

Mattermost Server < 9.11.8 - SQL Injection

Title source: rule

Description

Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to use prepared statements in the SQL query of boards reordering which allows an attacker to retrieve data from the database, via a SQL injection when reordering specially crafted boards categories.

Exploits (1)

github WORKING POC 1 stars

by exploitintel · pythonpoc

https://github.com/exploitintel/eip-pocs-and-cves/tree/main/CVE-2025-24490

View Code ZIP pw:eip

References (1)

[Vendor Advisory] https://mattermost.com/security-updates

Scores

CVSS v3 9.6

EPSS 0.0048

EPSS Percentile 65.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Lab Environment

EIP LAB

Lab screenshot

vulnerable docker pull ghcr.io/exploitintel/cve-2025-24490-vulnerable:latest

View in Library GitHub

COMMUNITY

docker pull mattermost/mattermost-enterprise-edition:9.11.7

https://github.com/exploitintel/eip-pocs-and-cves

View in Library

Details

CWE

CWE-89

Status published

Products (1)

mattermost/mattermost_server 9.11.0 - 9.11.8

Published Feb 24, 2025

Tracked Since Feb 18, 2026