CVE-2025-24490

CRITICAL

Mattermost Server < 9.11.8 - SQL Injection

Title source: rule

Description

Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to use prepared statements in the SQL query of boards reordering which allows an attacker to retrieve data from the database, via a SQL injection when reordering specially crafted boards categories.

Exploits (1)

github WORKING POC 1 stars

by exploitintel · pythonpoc

https://github.com/exploitintel/eip-pocs-and-cves/tree/main/CVE-2025-24490

View Code ZIP pw:eip

References (1)

[Vendor Advisory] https://mattermost.com/security-updates

Scores

CVSS v3 9.6

EPSS 0.0027

EPSS Percentile 50.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Classification

CWE

CWE-89

Status published

Affected Products (1)

mattermost/mattermost_server < 9.11.8

Timeline

Published Feb 24, 2025

Tracked Since Feb 18, 2026