CVE-2025-62190
MEDIUMMattermost 10.11.0-10.11.6, 10.12.0-10.12.2, 11.0.0-11.0.4 & Calls <1.10.0 - CSRF via Calls Widget
Title source: llmDescription
Mattermost versions 11.0.x <= 11.0.4, 10.12.x <= 10.12.2, 10.11.x <= 10.11.6 and Mattermost Calls versions <=1.10.0 fail to implement CSRF protection on the Calls widget page which allows an authenticated attacker to initiate calls and inject messages into channels or direct messages via a malicious webpage or crafted link
References (1)
Core 1
Core References
Vendor Advisory
https://mattermost.com/security-updates
Scores
CVSS v3
4.3
EPSS
0.0001
EPSS Percentile
2.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-352
Status
published
Products (2)
mattermost/mattermost-plugin-calls
0 - 1.10.0Go
mattermost/mattermost_server
10.11.0 - 10.11.7
Published
Dec 17, 2025
Tracked Since
Feb 18, 2026