Headline

GHSA-mqp8-pgg5-7x7m: Mattermost allows system administrators to access password hashes and MFA secrets

Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to sanitize user data which allows system administrators to access password hashes and MFA secrets via the POST /api/v4/users/{user_id}/email/verify/member endpoint

4 days ago

ghsa

Open in Source

#git

GitHub Advisory Database
GitHub Reviewed
CVE-2025-11794

Mattermost allows system administrators to access password hashes and MFA secrets

Moderate severity GitHub Reviewed Published Nov 14, 2025 to the GitHub Advisory Database • Updated Nov 17, 2025

Package

gomod github.com/mattermost/mattermost-server (Go)

Affected versions

>= 10.11.0, < 10.11.4

>= 10.5.0, < 10.5.12

>= 10.12.0, < 10.12.1

Patched versions

10.11.4

10.5.12

10.12.1

gomod github.com/mattermost/mattermost/server/v8 (Go)

< 8.0.0-20250929212932-a41db04d2746

8.0.0-20250929212932-a41db04d2746

Description

Published to the GitHub Advisory Database

Nov 14, 2025

Last updated

Nov 17, 2025

ghsa: Latest News

GHSA-7xcv-9j6c-2fmc: Modular Max Serve has Unsafe Deserialization vulnerability

7 hours ago

ghsa

GHSA-8c52-x9w7-vc95: XWiki view file macro: User can view content of office file without view rights on the attachment

9 hours ago

ghsa

GHSA-6pmj-xjxp-p8g9: LibreNMS is vulnerable to SQL Injection (Boolean-Based Blind) in hostname parameter in ajax_output.php endpoint

10 hours ago

ghsa

GHSA-ffpg-gm3h-4p5p: Backdrop CMS Host Header Injection vulnerability

10 hours ago

ghsa

GHSA-m6vv-vcj8-w8m7: Drupal core allows Object Injection

10 hours ago

ghsa