What is GHSA-x7w4-j7hv-94wg?

GHSA-x7w4-j7hv-94wg is a security advisory published by GitHub Security Advisories with High severity. Mattermost Plugins versions \u003c=1.1.5 fail to sanitize filenames received from federated peers...

Which CVE IDs does GHSA-x7w4-j7hv-94wg cover?

GHSA-x7w4-j7hv-94wg covers the following CVE IDs: CVE-2026-6957. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-x7w4-j7hv-94wg?

GHSA-x7w4-j7hv-94wg has a CVSS v3 base score of 8.0, published by GitHub Security Advisories.

GHSA-x7w4-j7hv-94wgHighCVSS 8.0

Mattermost Plugins versions <=1.1.5 fail to sanitize filenames received from federated peers...

Vendor

GitHub Security Advisories

Published

May 27, 2026

Last Modified

May 27, 2026

🔗 CVE IDs covered (1)

CVE-2026-6957 →

📋 Description

Mattermost Plugins versions <=1.1.5 fail to sanitize filenames received from federated peers before using them to construct export destination paths, which allows an administrator of a remote federated Mattermost server to write files to arbitrary locations within the target server's filestore via a malicious filename delivered through the shared-channel attachment sync protocol. Mattermost Advisory ID: MMSA-2026-00659

🔗 References (3)

https://nvd.nist.gov/vuln/detail/CVE-2026-6957
https://mattermost.com/security-updates
https://github.com/advisories/GHSA-x7w4-j7hv-94wg