What is the CVSS score of CVE-2025-13821?

CVE-2025-13821 has a CVSS 3.1 base score of 5.7 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N. EPSS exploitation probability: 0.0%.

Which versions of Mattermost Server are affected by CVE-2025-13821?

CVE-2025-13821 presents moderate security risk, a information exposure vulnerability rated CVSS 5.7. Sensitive information could be exposed to unauthorized parties.. A patch is available.

How to fix or mitigate CVE-2025-13821?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Review data exposure and access controls.

Mattermost Server CVE-2025-13821

MEDIUM

Information Exposure (CWE-200)

2026-02-16 responsibledisclosure@mattermost.com

Information Disclosure Mattermost Server Suse

5.7

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

CVE Published

Feb 16, 2026 - 12:16 nvd

MEDIUM 5.7

DescriptionNVD

Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to sanitize sensitive data in WebSocket messages which allows authenticated users to exfiltrate password hashes and MFA secrets via profile nickname updates or email verification events. Mattermost Advisory ID: MMSA-2025-00560

AnalysisAI

Technical ContextAI

Classified as CWE-200 (Information Exposure). Affects Mattermost Server. Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to sanitize sensitive data in WebSocket messages which allows authenticated users to exfiltrate password hashes and MFA secrets via profile nickname updates or email verification events. Mattermost Advisory ID: MMSA-2025-00560

RemediationAI

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

More from same product – last 7 days

CVE-2026-9256 HIGH This Week

8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers

Vendor StatusVendor

CVE-2025-13821 vulnerability details – vuln.today

Back