Base Score

LOW3.1

CVE-2025-62690

Mattermost versions 10.11.x <= 10.11.4 fail to validate redirect URLs on the /error page, which allows an attacker to redirect a victim to a malicious site via a crafted link opened in a new tab.

VectorNETWORK

Published Byresponsibledisclosure@mattermost.com

Published DateDec 17, 2025, 13:15

Affected Versions(3)

github.com/mattermost/mattermost/server/v8(Go)

Introduced8.0.0-20250721062209-4952acea88ce

Fixed8.0.0-20251016131338-dad6bd7a1509

LimitN/A

github.com/mattermost/mattermost(Go)

Introduced10.11.0-rc1

Fixed10.11.5-0.20251016131338-dad6bd7a1509

LimitN/A

github.com/mattermost/mattermost(Go)

Introduced11.0.0-alpha.1

Fixed11.1.0

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
github.com/mattermost/mattermost/server/v8(Go)	8.0.0-20250721062209-4952acea88ce	8.0.0-20251016131338-dad6bd7a1509	N/A
github.com/mattermost/mattermost(Go)	10.11.0-rc1	10.11.5-0.20251016131338-dad6bd7a1509	N/A
github.com/mattermost/mattermost(Go)	11.0.0-alpha.1	11.1.0	N/A

Weakness Type (CWE):CWE-601

CVSS Metrics

Base Score

3.1

Vector String

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N

Base Severity

LOW

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

HIGH

Privileges Required (PR)

NONE

User Interaction (UI)

REQUIRED

Scope (S)

UNCHANGED

Confidentiality (C)

NONE

Integrity (I)

LOW

Availability (A)

NONE

References

https://mattermost.com/security-updates

Base Score

LOW3.1

Weakness Type (CWE):CWE-601

CVSS Metrics

Base Score

3.1

Vector String

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N

Base Severity

LOW

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

HIGH

Privileges Required (PR)

NONE

User Interaction (UI)

REQUIRED

Scope (S)

UNCHANGED

Confidentiality (C)

NONE

Integrity (I)

LOW

Availability (A)

NONE