Headline
GHSA-4g87-9x45-cx2h: Mattermost fails to sanitize team email addresses
Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to sanitize team email addresses to be visible only to Team Admins, which allows any authenticated user to view team email addresses via the GET /api/v4/channels/{channel_id}/common_teams endpoint
Skip to content
Navigation Menu
AI CODE CREATION
GitHub CopilotWrite better code with AI
GitHub SparkBuild and deploy intelligent apps
GitHub ModelsManage and compare prompts
MCP RegistryNewIntegrate external tools
View all features
- Pricing
Provide feedback
Saved searches****Use saved searches to filter your results more quickly
Sign up
Appearance settings
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-12559
Mattermost fails to sanitize team email addresses
Moderate severity GitHub Reviewed Published Nov 27, 2025 to the GitHub Advisory Database • Updated Dec 1, 2025
Package
gomod github.com/mattermost/mattermost-server (Go)
Affected versions
>= 11.0.0, < 11.0.3
>= 10.12.0, < 10.12.2
>= 10.11.0, < 10.11.5
>= 10.5.0, < 10.5.13
Patched versions
11.0.3
10.12.2
10.11.5
10.5.13
gomod github.com/mattermost/mattermost/server/v8 (Go)
< 8.0.0-20251015091448-abbf01b9db45
8.0.0-20251015091448-abbf01b9db45
Description
Published to the GitHub Advisory Database
Nov 27, 2025