QSearchQSearch

CVE-2026-6957

8.0 HIGH

Mattermost Plugins versions <=1.1.5 fail to sanitize filenames received from federated peers before using them to construct export destin...

Published: 2026-05-27 · Last updated: 2026-06-02

Severity and scoring

CVSS
8.0 HIGH
Vector
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
CWE
CWE-22

Affected products

VendorProduct
mattermostlegal_hold

Description

Mattermost Plugins versions <=1.1.5 fail to sanitize filenames received from federated peers before using them to construct export destination paths, which allows an administrator of a remote federated Mattermost server to write files to arbitrary locations within the target server's filestore via a malicious filename delivered through the shared-channel attachment sync protocol. Mattermost Advisory ID: MMSA-2026-00659

Source: NVD

References

Related CVEs

Same vendor

  • CVE-2026-4915 Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to filter nil elements from outgoing w... (6.5 MEDIUM)
  • CVE-2026-4858 Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to check integration URL for path trav... (8.0 HIGH)
  • CVE-2026-4055 Mattermost versions 11.5.x <= 11.5.1 fail to validate team-level run_create permission against the target team when creating a playbook r... (4.3 MEDIUM)
  • CVE-2026-6347 Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to sanitize sensitive configuration fields in the Matter... (7.6 HIGH)
  • CVE-2026-6346 Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to sanitize sensitive configuration fields before includ... (8.7 HIGH)

Same CWE

  • CVE-2026-52726 Dulwich is a pure-Python implementation of the Git file formats and protocols (7.5 HIGH)
  • CVE-2026-49219 ImageMagick is free and open-source software used for editing and manipulating digital images (5.5 MEDIUM)
  • CVE-2026-47712 Dulwich is a pure-Python implementation of the Git file formats and protocols (3.3 LOW)
  • CVE-2026-46703 Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and launch OCI containers within them to ru... (9.6 CRITICAL)
  • CVE-2026-42305 Dulwich is a pure-Python implementation of the Git file formats and protocols (8.8 HIGH)