x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server: GHSA-f72g-52v7-mg3p

[GoVulnBot]

Advisory GHSA-f72g-52v7-mg3p references a vulnerability in the following Go modules:

Module
github.com/mattermost/mattermost-server

Description:
Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate access controls which allows any authenticated user to download sensitive files via board file download endpoint using UUID enumeration

References:

• ADVISORY: GHSA-f72g-52v7-mg3p
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-9081
• FIX: mattermost/mattermost-plugin-boards@3f3e3be
• FIX: Added file ownership validation to file access endpoints mattermost/mattermost-plugin-boards#114
• WEB: https://mattermost.com/security-updates

Cross references:

• github.com/mattermost/mattermost-server appears in 132 other report(s):
  • data/excluded/GO-2022-0601.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server: GHSA-gwpf-95jc-63rv #601) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1126.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server: GHSA-5jph-wrq7-v9hf #1126) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1127.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server: GHSA-v42f-hq78-8c5m #1127) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1710.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server: GHSA-3wq5-3f56-v5xc #1710) EFFECTIVELY_PRIVATE
  • data/reports/GO-2022-0540.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v6: GHSA-7ggc-5r84-xf54 #540)
  • data/reports/GO-2022-0576.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v6: GHSA-32rp-q37p-jg6w #576)
  • data/reports/GO-2022-0595.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v6: GHSA-f37q-q7p2-ccfc #595)
  • data/reports/GO-2022-0599.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v6: GHSA-fxwj-v664-wv5g #599)
  • data/reports/GO-2022-0604.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v5: GHSA-hv5f-73mr-7vvj #604)
  • data/reports/GO-2022-0616.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v5: GHSA-qggc-pj29-j27m #616)
  • data/reports/GO-2023-1939.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost: GHSA-j2h2-cvwh-cr64 #1939)
  • data/reports/GO-2024-2444.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-9w97-9rqx-8v4j #2444)
  • data/reports/GO-2024-2446.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-h3gq-j7p9-x3p4 #2446)
  • data/reports/GO-2024-2448.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v6: GHSA-q7rx-w656-fwmv #2448)
  • data/reports/GO-2024-2450.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-w88v-pjr8-cmv2 #2450)
  • data/reports/GO-2024-2541.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-32h7-7j94-8fc2 #2541)
  • data/reports/GO-2024-2566.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-r833-w756-h5p2 #2566)
  • data/reports/GO-2024-2588.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-3g35-v53r-gpxc #2588)
  • data/reports/GO-2024-2589.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-6mx3-9qfh-77gj #2589)
  • data/reports/GO-2024-2590.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-7v3v-984v-h74r #2590)
  • data/reports/GO-2024-2591.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-fx48-xv6q-6gp3 #2591)
  • data/reports/GO-2024-2592.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-hwjf-4667-gqwx #2592)
  • data/reports/GO-2024-2593.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-pfw6-5rx3-xh3c #2593)
  • data/reports/GO-2024-2594.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-vm9m-57jr-4pxh #2594)
  • data/reports/GO-2024-2595.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-xgxj-j98c-59rv #2595)
  • data/reports/GO-2024-2635.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-r4fm-g65h-cr54 #2635)
  • data/reports/GO-2024-2695.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-mcw6-3256-64gg #2695)
  • data/reports/GO-2024-2696.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-wp43-vprh-c3w5 #2696)
  • data/reports/GO-2024-2706.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-w67v-ph4x-f48q #2706)
  • data/reports/GO-2024-2707.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-xp9j-8p68-9q93 #2707)
  • data/reports/GO-2024-2793.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server: GHSA-5fh7-7mw7-mmx5 #2793)
  • data/reports/GO-2024-2794.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server: GHSA-5qx9-9ffj-5r8f #2794)
  • data/reports/GO-2024-2795.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server: GHSA-8f99-g2pj-x8w3 #2795)
  • data/reports/GO-2024-2796.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server: GHSA-p2wq-4ggp-45f3 #2796)
  • data/reports/GO-2024-2797.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server: GHSA-vx97-8q8q-qgq5 #2797)
  • data/reports/GO-2024-2798.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server: GHSA-wj37-mpq9-xrcm #2798)
  • data/reports/GO-2024-3020.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-762m-4cx6-6mf4 #3020)
  • data/reports/GO-2024-3022.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-9fpw-c9x7-cv3j #3022)
  • data/reports/GO-2024-3023.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-vg67-chm7-8m3j #3023)
  • data/reports/GO-2024-3024.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-vg6q-84p8-qvqh #3024)
  • data/reports/GO-2024-3025.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-56mc-f9w7-2wxq #3025)
  • data/reports/GO-2024-3028.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-cmc8-222c-vqp9 #3028)
  • data/reports/GO-2024-3030.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-jq3g-xqpx-37x3 #3030)
  • data/reports/GO-2024-3031.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-jr9x-3x7m-4j75 #3031)
  • data/reports/GO-2024-3032.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-vvpg-55p7-5h8w #3032)
  • data/reports/GO-2024-3089.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-2jhx-w3vc-w59g #3089)
  • data/reports/GO-2024-3090.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-3j95-8g47-fpwh #3090)
  • data/reports/GO-2024-3091.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-fxq9-6946-34q7 #3091)
  • data/reports/GO-2024-3092.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-q22q-2rrf-m27p #3092)
  • data/reports/GO-2024-3093.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-4ww8-fprq-cq34 #3093)
  • data/reports/GO-2024-3094.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-5263-pm2h-m7hw #3094)
  • data/reports/GO-2024-3096.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-c6vp-jjgv-38wj #3096)
  • data/reports/GO-2024-3097.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-hrf9-rm95-fpf3 #3097)
  • data/reports/GO-2024-3164.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-59hf-mpf8-pqjh #3164)
  • data/reports/GO-2024-3227.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-hm57-h27x-599c #3227)
  • data/reports/GO-2024-3232.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-6mvp-gh77-7vwh #3232)
  • data/reports/GO-2024-3233.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-762g-9p7f-mrww #3233)
  • data/reports/GO-2024-3234.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-762v-rq7q-ff97 #3234)
  • data/reports/GO-2024-3235.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-g376-m3h3-mj4r #3235)
  • data/reports/GO-2024-3334.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-qqc8-rv37-79q5 #3334)
  • data/reports/GO-2024-3337.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-69pr-78gv-7c6h #3337)
  • data/reports/GO-2024-3338.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-826h-p4c3-477p #3338)
  • data/reports/GO-2024-3340.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-v647-h8jj-fw5r #3340)
  • data/reports/GO-2025-3377.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-q8fg-cp3q-5jwm #3377)
  • data/reports/GO-2025-3379.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-2549-xh72-qrpm #3379)
  • data/reports/GO-2025-3380.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-7rgp-4j56-fm79 #3380)
  • data/reports/GO-2025-3392.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-5m7j-6gc4-ff5g #3392)
  • data/reports/GO-2025-3393.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-8j3q-gc9x-7972 #3393)
  • data/reports/GO-2025-3394.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-45v9-w9fh-33j6 #3394)
  • data/reports/GO-2025-3407.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-w6xh-c82w-h997 #3407)
  • data/reports/GO-2025-3480.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-5fwx-p6xh-vjrh #3480)
  • data/reports/GO-2025-3481.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-q8p2-2hwc-jw64 #3481)
  • data/reports/GO-2025-3482.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-rhvr-6w8c-6v7w #3482)
  • data/reports/GO-2025-3483.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-v469-7wp6-7cvp #3483)
  • data/reports/GO-2025-3534.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server: GHSA-fqrq-xmxj-v47x #3534)
  • data/reports/GO-2025-3549.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-3gpx-p63p-pr5r #3549)
  • data/reports/GO-2025-3550.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-4v65-xqcj-wpgg #3550)
  • data/reports/GO-2025-3551.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-72qv-j8vr-xvfv #3551)
  • data/reports/GO-2025-3552.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-rp74-x43m-cpw3 #3552)
  • data/reports/GO-2025-3555.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-cw7q-5cgc-h3h9 #3555)
  • data/reports/GO-2025-3556.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-h5v9-xw2g-7hrq #3556)
  • data/reports/GO-2025-3604.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-xfq9-hh5x-xfq9 #3604)
  • data/reports/GO-2025-3609.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-322v-vh2g-qvpv #3609)
  • data/reports/GO-2025-3610.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-6rqh-8465-2xcw #3610)
  • data/reports/GO-2025-3611.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-wwhj-pw6h-f8hw #3611)
  • data/reports/GO-2025-3618.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-plugin-msteams: GHSA-2j87-p623-8cc2 #3618)
  • data/reports/GO-2025-3619.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-h4rr-f37j-4hh7 #3619)
  • data/reports/GO-2025-3620.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-j5jw-m2ph-3jjf #3620)
  • data/reports/GO-2025-3621.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-j639-m367-75cf #3621)
  • data/reports/GO-2025-3622.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-9h6j-4ffx-cm84 #3622)
  • data/reports/GO-2025-3623.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-mj2p-v2c2-vh4v #3623)
  • data/reports/GO-2025-3642.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-plugin-playbooks: GHSA-3g36-gf7c-75qw #3642)
  • data/reports/GO-2025-3642.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-plugin-playbooks: GHSA-3g36-gf7c-75qw #3642)
  • data/reports/GO-2025-3642.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-plugin-playbooks: GHSA-3g36-gf7c-75qw #3642)
  • data/reports/GO-2025-3643.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-plugin-playbooks: GHSA-689c-xq7x-xjwf #3643)
  • data/reports/GO-2025-3643.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-plugin-playbooks: GHSA-689c-xq7x-xjwf #3643)
  • data/reports/GO-2025-3643.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-plugin-playbooks: GHSA-689c-xq7x-xjwf #3643)
  • data/reports/GO-2025-3644.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-fr22-5377-f3p7 #3644)
  • data/reports/GO-2025-3644.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-fr22-5377-f3p7 #3644)
  • data/reports/GO-2025-3644.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-fr22-5377-f3p7 #3644)
  • data/reports/GO-2025-3691.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-h356-3mfw-x368 #3691)
  • data/reports/GO-2025-3692.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-qgwx-rffp-6cx9 #3692)
  • data/reports/GO-2025-3693.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-r7r2-m3vr-c8qc #3693)
  • data/reports/GO-2025-3694.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-fpff-wj6m-grvr #3694)
  • data/reports/GO-2025-3724.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-4mmr-2w8p-whcr #3724)
  • data/reports/GO-2025-3728.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-86jg-35xj-3vv5 #3728)
  • data/reports/GO-2025-3729.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-8cgx-9ccj-3gwr #3729)
  • data/reports/GO-2025-3730.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-hc6v-386m-93pq #3730)
  • data/reports/GO-2025-3731.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-mc2f-jgj6-6cp3 #3731)
  • data/reports/GO-2025-3756.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server: GHSA-4r67-4x4p-fprg #3756)
  • data/reports/GO-2025-3757.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server: GHSA-jwhw-xf5v-qgxc #3757)
  • data/reports/GO-2025-3769.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-qh58-9v3j-wcjc #3769)
  • data/reports/GO-2025-3771.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-4578-6gjh-f2jm #3771)
  • data/reports/GO-2025-3772.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-qwwm-c582-82rx #3772)
  • data/reports/GO-2025-3796.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-v8fr-vxmw-6mf6 #3796)
  • data/reports/GO-2025-3797.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-wgvp-jj4w-88hf #3797)
  • data/reports/GO-2025-3818.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-4fwj-8595-wp25 #3818)
  • data/reports/GO-2025-3819.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-7h34-9chr-58qh #3819)
  • data/reports/GO-2025-3820.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-wvw2-3jh4-4c39 #3820)
  • data/reports/GO-2025-3901.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-gq3r-5833-5532 #3901)
  • data/reports/GO-2025-3902.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-4276-cm8c-788h #3902)
  • data/reports/GO-2025-3903.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-pwvr-grqg-7vp2 #3903)
  • data/reports/GO-2025-3904.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-q453-638c-h4mr #3904)
  • data/reports/GO-2025-3905.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-qj47-w9f2-qg44 #3905)
  • data/reports/GO-2025-3906.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-vqwh-5jhh-vc9p #3906)
  • data/reports/GO-2025-3907.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-x67c-v8jr-p29r #3907)
  • data/reports/GO-2025-3910.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-pj6f-rc94-gw53 #3910)
  • data/reports/GO-2025-3911.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server: GHSA-h469-4fcf-p23h #3911)
  • data/reports/GO-2025-3950.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server: GHSA-3vcm-c42p-3hhf #3950)
  • data/reports/GO-2025-3958.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-69j8-prx2-vx98 #3958)
  • data/reports/GO-2025-3959.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v8: GHSA-9p92-x77w-9fw2 #3959)
  • data/reports/GO-2025-3960.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server: GHSA-hm95-jx66-g2gh #3960)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/mattermost/mattermost-server
      versions:
        - introduced: 9.11.0-rc1+incompatible
        - fixed: 9.11.18+incompatible
        - introduced: 10.5.0-rc1+incompatible
        - fixed: 10.5.9+incompatible
      non_go_versions:
        - fixed: 0.0.0-20250716054606-3f3e3becfe1d
        - fixed: 8.0.0-20250721095935-11c36f4d1e44
      vulnerable_at: 10.5.9-rc4+incompatible
summary: Mattermost boards plugin fails to restrict download access to files in github.com/mattermost/mattermost-server
cves:
    - CVE-2025-9081
ghsas:
    - GHSA-f72g-52v7-mg3p
references:
    - advisory: https://github.com/advisories/GHSA-f72g-52v7-mg3p
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-9081
    - fix: https://github.com/mattermost/mattermost-plugin-boards/commit/3f3e3becfe1d66db0d0f4fd235f04afd6e1ec40b
    - fix: https://github.com/mattermost/mattermost-plugin-boards/pull/114
    - web: https://mattermost.com/security-updates
source:
    id: GHSA-f72g-52v7-mg3p
    created: 2025-09-22T18:02:46.19557202Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/705915 mentions this issue: data/reports: add GO-2025-3978