x/vulndb: potential Go vuln in github.com/mattermost/mattermost: GHSA-p6gj-jc38-x2m7

[GoVulnBot]

Advisory GHSA-p6gj-jc38-x2m7 references a vulnerability in the following Go modules:

Module
github.com/mattermost/mattermost

Description:
Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to validate user permissions when deleting comments in Boards, which allows an authenticated user with the editor role to delete comments created by other users.

References:

• ADVISORY: GHSA-p6gj-jc38-x2m7
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-12756
• WEB: https://mattermost.com/security-updates

Cross references:

• github.com/mattermost/mattermost appears in 4 other report(s):
  • data/excluded/GO-2023-2391.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost/server/v: GHSA-7664-hcp7-f497 #2391) EFFECTIVELY_PRIVATE
  • data/reports/GO-2023-1939.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost: GHSA-j2h2-cvwh-cr64 #1939)
  • data/reports/GO-2025-4122.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v6: GHSA-mqcj-8c2g-h97q #4122)
  • data/reports/GO-2025-4126.yaml (x/vulndb: potential Go vuln in github.com/mattermost/mattermost-server/v6: GHSA-j6gg-r5jc-47cm #4126)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/mattermost/mattermost
      non_go_versions:
        - introduced: TODO (earliest fixed "", vuln range ">= 11.0.0, <= 11.0.2")
        - introduced: TODO (earliest fixed "", vuln range ">= 10.5.0, <= 10.5.12")
        - introduced: TODO (earliest fixed "", vuln range ">= 10.12.0, <= 10.12.1")
        - introduced: TODO (earliest fixed "", vuln range ">= 10.11.0, <= 10.11.4")
      vulnerable_at: 11.1.1+incompatible
summary: Mattermost fails to validate user permissions when deleting comments in Boards in github.com/mattermost/mattermost
cves:
    - CVE-2025-12756
ghsas:
    - GHSA-p6gj-jc38-x2m7
references:
    - advisory: https://github.com/advisories/GHSA-p6gj-jc38-x2m7
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-12756
    - web: https://mattermost.com/security-updates
notes:
    - fix: 'module merge error: could not merge versions of module github.com/mattermost/mattermost: invalid or non-canonical semver version (found TODO (earliest fixed "", vuln range ">= 11.0.0, <= 11.0.2"))'
source:
    id: GHSA-p6gj-jc38-x2m7
    created: 2025-12-02T17:01:12.295711812Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/725981 mentions this issue: data/reports: add 5 reports