Mattermost has CSRF vulnerability via Calls Widget page

GHSA-gmx5-frv9-9m9f · CVE-2025-62190 · GO-2025-4254

Published Dec 17, 2025 · Modified Dec 30, 2025

Description

Mattermost versions 11.0.x < 11.0.4, 10.12.x <= 10.12.2, 10.11.x < 10.11.6 and Mattermost Calls versions < 1.10.0 fail to implement CSRF protection on the Calls widget page which allows an authenticated attacker to initiate calls and inject messages into channels or direct messages via a malicious webpage or crafted link.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-62190
WEB https://github.com/mattermost/mattermost-plugin-calls/commit/429cfaf2a301a369414d1ca18a3364e85901c8d1
PACKAGE https://github.com/mattermost/mattermost-plugin-calls
WEB https://github.com/mattermost/mattermost-plugin-calls/releases/tag/v1.10.0
WEB https://mattermost.com/security-updates

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes