pkg:Go/github.com/mattermost/mattermost/server/v8

348 total CVEsCRITICAL10HIGH23MEDIUM221LOW94

✅ Check your installed version

All known vulnerabilities

CRITICAL9.9CVE-2025-12421Mattermost fails to to verify the token used during code exchange in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20251022210333-acda1fb5dd46
CRITICAL9.9CVE-2025-12421Mattermost fails to to verify the token used during code exchange in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20251022210333-acda1fb5dd46
CRITICAL9.9CVE-2025-12419Mattermost fails to properly validate OAuth state tokens during OpenID Connect authentication in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20251028000919-d3ed703dc833
CRITICAL9.9CVE-2025-12419Mattermost fails to properly validate OAuth state tokens during OpenID Connect authentication in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20251028000919-d3ed703dc833
CRITICAL9.9CVE-2025-4981Mattermost allows authenticated users to write files to arbitrary locations in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250519205859-65aec10162f6
CRITICAL9.9CVE-2025-4981Mattermost allows authenticated users to write files to arbitrary locations in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250519205859-65aec10162f6
CRITICAL9.9CVE-2025-25279Mattermost allows reading arbitrary files related to importing boards
from 0, < 8.0.0-20250122165010-4ed702ccff4e
CRITICAL9.9CVE-2025-25279Mattermost allows reading arbitrary files related to importing boards
from 0, < 8.0.0-20250122165010-4ed702ccff4e
CRITICAL9.9CVE-2025-20051Mattermost allows reading arbitrary files
from 0, < 8.0.0-20250122165010-4ed702ccff4e
CRITICAL9.9CVE-2025-20051Mattermost allows reading arbitrary files
from 0, < 8.0.0-20250122165010-4ed702ccff4e
HIGH8.7CVE-2026-6346Mattermost doesn't sanitize sensitive configuration fields before including them in support packet generation
>= 11.5.0, < 11.5.2
HIGH8.7CVE-2024-39777Mattermost allows unsolicited invites to expose access to local channels in github.com/mattermost/mattermost-server
from 0
HIGH8.7CVE-2024-39777Mattermost allows unsolicited invites to expose access to local channels in github.com/mattermost/mattermost-server
>= 9.9.0, < 9.9.1
HIGH8.7CVE-2024-39274Mattermost failed to properly validate that the channel that comes from the sync message is a shared channel in github.com/mattermost/mattermost-server
from 0
HIGH8.7CVE-2024-39274Mattermost failed to properly validate that the channel that comes from the sync message is a shared channel in github.com/mattermost/mattermost-server
>= 9.5.0, < 9.5.7
HIGH8.1CVE-2025-58075Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server
from 0
HIGH8.1CVE-2025-58075Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250815100400-2d5cdc6e217e
HIGH8.1CVE-2025-58073Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250807174701-e14175eb6539
HIGH8.1CVE-2025-58073Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250807174701-e14175eb6539
HIGH8.0CVE-2026-3108Mattermost allows attackers to manipulate administrator terminals via crafted messages containing ANSI and OSC escape sequences
>= 11.4.0-rc1, < 11.4.1
HIGH8.0CVE-2025-9079Mattermost Path Traversal vulnerability in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250707221302-a8fa77f107ef
HIGH8.0CVE-2025-9079Mattermost Path Traversal vulnerability in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250707221302-a8fa77f107ef
HIGH7.6CVE-2025-9072Mattermost Open Redirect vulnerability in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250731063404-9eebaadf8f72
HIGH7.6CVE-2025-9072Mattermost Open Redirect vulnerability in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250731063404-9eebaadf8f72
HIGH7.5CVE-2026-24458Mattermost fails to properly handle very long passwords
from 0, < 8.0.0-20260129164748-7201f42d955f
HIGH7.5CVE-2026-24458Mattermost fails to properly handle very long passwords
from 0, < 8.0.0-20260129164748-7201f42d955f
HIGH7.5CVE-2025-25068Mattermost Fails to Enforce MFA on Plugin Endpoints in github.com/mattermost/mattermost-server
from 0
HIGH7.5CVE-2025-25068Mattermost Fails to Enforce MFA on Plugin Endpoints in github.com/mattermost/mattermost-server
>= 10.4.0, < 10.4.3
HIGH7.4CVE-2024-36492Mattermost failed to disallow the modification of local users when syncing users in shared channels in github.com/mattermost/mattermost-server
>= 9.5.0, < 9.5.7
HIGH7.4CVE-2024-36492Mattermost failed to disallow the modification of local users when syncing users in shared channels in github.com/mattermost/mattermost-server
from 0
HIGH7.2CVE-2025-14273Mattermost with Jira plugin enabled has Incorrect Implementation of Authentication Algorithm in github.com/mattermost/mattermost-plugin-jira
from 0, < 8.0.0-20251121122154-b57c297c6d7a
HIGH7.2CVE-2025-14273Mattermost with Jira plugin enabled has Incorrect Implementation of Authentication Algorithm in github.com/mattermost/mattermost-plugin-jira
from 0, < 8.0.0-20251121122154-b57c297c6d7a
HIGH7.1CVE-2023-6458Mattermost Injection vulnerability
from 0, < 8.1.5
MEDIUM6.8CVE-2026-28741Mattermost doesn't validate CSRF tokens on an authentication endpoint
>= 8.0.0-20250721062209-4952acea88ce, < 8.0.0-20260220133927-c29cf05d40f8
MEDIUM6.8CVE-2026-3112Mattermost allows system administrators to read arbitrary host files via malicious AdvancedLoggingJSON configuration
>= 11.4.0-rc1, < 11.4.1
MEDIUM6.8CVE-2025-8023Mattermost Fails to Sanitize Path Traversal Sequences in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250708065844-b38e2eccda18
MEDIUM6.8CVE-2025-8023Mattermost Fails to Sanitize Path Traversal Sequences in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250708065844-b38e2eccda18
MEDIUM6.8CVE-2025-49222Mattermost Fails to Validate Remote Cluster Upload Sessions in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250708173752-d6b35c41f0ae5
MEDIUM6.8CVE-2025-36530Mattermost Fails to Validate File Paths in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250619095651-9dd0b3943e55
MEDIUM6.8CVE-2025-49222Mattermost Fails to Validate Remote Cluster Upload Sessions in github.com/mattermost/mattermost-server
from 0
MEDIUM6.8CVE-2025-36530Mattermost Fails to Validate File Paths in github.com/mattermost/mattermost-server
from 0
MEDIUM6.8CVE-2025-6233Mattermost Path Traversal vulnerability in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250529054450-d38c27f96fcf
MEDIUM6.8CVE-2025-6233Mattermost Path Traversal vulnerability in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250529054450-d38c27f96fcf
MEDIUM6.8CVE-2024-39832Mattermost allows a remote actor to permanently delete local data by abusing dangerous error handling in github.com/mattermost/mattermost-server
>= 9.5.0, < 9.5.7
MEDIUM6.8CVE-2024-39832Mattermost allows a remote actor to permanently delete local data by abusing dangerous error handling in github.com/mattermost/mattermost-server
from 0
MEDIUM6.5CVE-2026-6345Mattermost doesn't prevent disclosure of created user password
>= 11.5.0, < 11.5.2
MEDIUM6.5CVE-2026-5163Mattermost doesn't verify channel membership when processing AI-assisted message rewrites
>= 11.5.0, < 11.5.2
MEDIUM6.5CVE-2026-3590Mattermost has session spoofing due to lack of single-use consumption of guest magic link tokens enforcement
>= 8.0.0-20250721062209-4952acea88ce, < 8.0.0-20250723052842-4cb8d8940332
MEDIUM6.5CVE-2026-3114Mattermost doesn't validate decompressed archive entry sizes during file extraction
>= 11.4.0, < 11.4.1
MEDIUM6.5CVE-2025-55070Mattermost does not enforce MFA on WebSocket connections in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250912063506-7d8b7b5e4a60
MEDIUM6.5CVE-2025-55070Mattermost does not enforce MFA on WebSocket connections in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250912063506-7d8b7b5e4a60
MEDIUM6.5CVE-2025-9076Mattermost Missing Authorization vulnerability in github.com/mattermost/mattermost-server
from 0
MEDIUM6.5CVE-2025-9076Mattermost Missing Authorization vulnerability in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250729073403-517ae758cd02
MEDIUM6.5CVE-2025-6226Mattermost Missing Authentication for Critical Function in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250520130510-fa40a8c5d47f
MEDIUM6.5CVE-2025-6226Mattermost Missing Authentication for Critical Function in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250520130510-fa40a8c5d47f
MEDIUM6.5CVE-2025-41395Mattermost Playbooks fails to properly validate the props used by the RetrospectivePost custom post type
from 0
MEDIUM6.5CVE-2025-35965Mattermost Playbooks fails to validate the uniqueness and quantity of task actions
from 0, < 8.0.0-20250218121836-2b5275d87136
MEDIUM6.5CVE-2025-41395Mattermost Playbooks fails to properly validate the props used by the RetrospectivePost custom post type
from 0, < 8.0.0-20250218121836-2b5275d87136
MEDIUM6.5CVE-2025-35965Mattermost Playbooks fails to validate the uniqueness and quantity of task actions
from 0
MEDIUM6.5CVE-2025-20621Mattermost webapp crash via a crafted post
from 0, < 8.0.0-20241127161322-25ff7a3779a5
MEDIUM6.5CVE-2025-20621Mattermost webapp crash via a crafted post
>= 10.2.0, < 10.2.1
MEDIUM6.5CVE-2025-20086Mattermost fails to properly validate post props in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20241127161322-25ff7a3779a5
MEDIUM6.5CVE-2025-20088Mattermost fails to properly validate post props in github.com/mattermost/mattermost-server
>= 10.2.0, < 10.2.1
MEDIUM6.5CVE-2025-20086Mattermost fails to properly validate post props in github.com/mattermost/mattermost-server
>= 10.2.0, < 10.2.1
MEDIUM6.5CVE-2025-20088Mattermost fails to properly validate post props in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20241127161322-25ff7a3779a5
MEDIUM6.5CVE-2025-21088Mattermost Incorrect Type Conversion or Cast
from 0, < 8.0.0-20241127161322-25ff7a3779a5
MEDIUM6.5CVE-2025-21088Mattermost Incorrect Type Conversion or Cast
>= 10.2.0, < 10.2.1
MEDIUM6.5CVE-2024-54682Mattermost Data Amplification vulnerability in github.com/mattermost/mattermost-server
>= 10.1.0, < 10.1.3
MEDIUM6.5CVE-2024-54083Mattermost Improper Validation of Specified Type of Input vulnerability in github.com/mattermost/mattermost-server
>= 10.1.0, < 10.1.3
MEDIUM6.5CVE-2024-54682Mattermost Data Amplification vulnerability in github.com/mattermost/mattermost-server
from 0
MEDIUM6.5CVE-2024-54083Mattermost Improper Validation of Specified Type of Input vulnerability in github.com/mattermost/mattermost-server
from 0
MEDIUM6.5CVE-2024-2447Mattermost fails to authenticate the source of certain types of post actions in github.com/mattermost/mattermost-server
from 0
MEDIUM6.5CVE-2024-2447Mattermost fails to authenticate the source of certain types of post actions in github.com/mattermost/mattermost-server
>= 8.1.0, < 8.1.11
MEDIUM6.5CVE-2023-5195Mattermost Incorrect Authorization vulnerability
>= 8.1.0, < 8.1.1
MEDIUM6.5CVE-2023-5196Mattermost Uncontrolled Resource Consumption vulnerability
>= 8.1.0, < 8.1.1
MEDIUM6.0CVE-2024-42497Mattermost allows user with systems manager role with read-only access to teams to perform write operations on teams in github.com/mattermost/mattermost-server
>= 9.5.0, < 9.5.8
MEDIUM6.0CVE-2024-42497Mattermost allows user with systems manager role with read-only access to teams to perform write operations on teams in github.com/mattermost/mattermost-server
from 0
MEDIUM5.8CVE-2025-31947Mattermost Fails to Lockout LDAP Users After Repeated Login Failures in github.com/mattermost/mattermost-server
>= 10.6.0, < 10.6.2
MEDIUM5.8CVE-2025-31947Mattermost Fails to Lockout LDAP Users After Repeated Login Failures in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250415054241-76ab3867b785
MEDIUM5.7CVE-2026-27656Mattermost allows attackers to take over arbitrary user accounts via overly permissive substring matching flaw
>= 8.0.0-20260105080200-d27a2195068d, < 8.0.0-20260217110922-b7d4a1f1f59b
MEDIUM5.7CVE-2025-13821Mattermost fails to sanitize sensitive data in WebSocket messages
from 0, < 8.0.0-20251210191531-cd17b61de41b
MEDIUM5.7CVE-2025-13821Mattermost fails to sanitize sensitive data in WebSocket messages
from 0, < 8.0.0-20251210191531-cd17b61de41b
MEDIUM5.5CVE-2024-41144Mattermost allows remote actor to create/update/delete posts in arbitrary channels in github.com/mattermost/mattermost-server
>= 9.5.0, < 9.5.7
MEDIUM5.5CVE-2024-41144Mattermost allows remote actor to create/update/delete posts in arbitrary channels in github.com/mattermost/mattermost-server
from 0
MEDIUM5.4CVE-2026-4274Mattermost has an Incorrect Authorization issue
>= 11.4.0-rc1, < 11.4.1
MEDIUM5.4CVE-2026-0999Mattermost fails to properly validate login method restrictions
from 0, < 8.0.0-20251212052346-61651b0df7ea
MEDIUM5.4CVE-2026-0999Mattermost fails to properly validate login method restrictions
from 0, < 8.0.0-20251212052346-61651b0df7ea
MEDIUM5.4CVE-2025-55073Mattermost allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250929212932-a41db04d2746
MEDIUM5.4CVE-2025-55073Mattermost allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250929212932-a41db04d2746
MEDIUM5.4CVE-2025-41410Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250822083415-01b95392a450
MEDIUM5.4CVE-2025-41410Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server
from 0
MEDIUM5.4CVE-2025-46702Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250513065225-4ae5d647fb88
MEDIUM5.4CVE-2025-46702Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250513065225-4ae5d647fb88
MEDIUM5.4CVE-2025-3230Mattermost fails to properly invalidate personal access tokens upon user deactivation in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250402193107-65343f84a783
MEDIUM5.4CVE-2025-3230Mattermost fails to properly invalidate personal access tokens upon user deactivation in github.com/mattermost/mattermost-server
>= 10.7.0-rc1, < 10.7.1
MEDIUM5.4CVE-2025-2475Mattermost vulnerable to Incorrect Implementation of Authentication Algorithm
from 0, < 8.0.0-20250220161544-fd356b62b4dd
MEDIUM5.4CVE-2025-2475Mattermost vulnerable to Incorrect Implementation of Authentication Algorithm
>= 10.5.0, < 10.5.2
MEDIUM5.4CVE-2025-27933Mattermost allows members with permission to convert public channels to private and convert private to public in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250218135018-e644e3c8e393
MEDIUM5.4CVE-2025-27933Mattermost allows members with permission to convert public channels to private and convert private to public in github.com/mattermost/mattermost-server
>= 10.4.0, < 10.4.3
MEDIUM5.4CVE-2024-47003Mattermost fails to strip `embeds` from `metadata` when broadcasting `posted` events in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20240806094731-69a8b3df0f9f
MEDIUM5.4CVE-2024-47003Mattermost fails to strip `embeds` from `metadata` when broadcasting `posted` events in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20240806094731-69a8b3df0f9f
MEDIUM5.3CVE-2026-2456Mattermost fails to limit the size of responses from integration action endpoints
from 0, < 8.0.0-20260127165411-fe3052073dc6
MEDIUM5.3CVE-2026-2456Mattermost fails to limit the size of responses from integration action endpoints
from 0, < 8.0.0-20260127165411-fe3052073dc6
MEDIUM5.3CVE-2025-3913Mattermost improperly allows team administrators to modify team invites in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250412152950-02c76784380a
MEDIUM5.3CVE-2025-3913Mattermost improperly allows team administrators to modify team invites in github.com/mattermost/mattermost-server
>= 10.7.0-rc1, < 10.7.1
MEDIUM5.3CVE-2025-27936Mattermost vulnerable to Observable Timing Discrepancy in github.com/mattermost/mattermost-plugin-msteams
>= 10.5.0, < 10.5.2
MEDIUM5.3CVE-2025-27936Mattermost vulnerable to Observable Timing Discrepancy in github.com/mattermost/mattermost-plugin-msteams
from 0, < 8.0.0-20250218121836-2b5275d87136
MEDIUM5.3CVE-2023-6459Mattermost Exposure of Sensitive Information to an Unauthorized Actor vulnerability
from 0, < 8.1.5
MEDIUM5.3CVE-2023-48369Mattermost Uncontrolled Resource Consumption vulnerability
>= 9.1.0, < 9.1.1
MEDIUM5.3CVE-2023-5969Mattermost vulnerable to excessive memory consumption
>= 8.0.0, < 8.0.4
MEDIUM4.9CVE-2025-11794Mattermost allows system administrators to access password hashes and MFA secrets in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250929212932-a41db04d2746
MEDIUM4.9CVE-2025-11794Mattermost allows system administrators to access password hashes and MFA secrets in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250929212932-a41db04d2746
MEDIUM4.9CVE-2025-8402Mattermost has Potential Server Crash due to Unvalidated Import Data in github.com/mattermost/mattermost-server
from 0
MEDIUM4.9CVE-2025-8402Mattermost has Potential Server Crash due to Unvalidated Import Data in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250708173752-d6b35c41f0ae5
MEDIUM4.9CVE-2023-5968Mattermost password hash disclosure vulnerability
>= 8.0.0, < 8.0.4
MEDIUM4.8CVE-2024-48872Mattermost Race Condition vulnerability in github.com/mattermost/mattermost-server
from 0
MEDIUM4.8CVE-2024-48872Mattermost Race Condition vulnerability in github.com/mattermost/mattermost-server
>= 10.1.0, < 10.1.3
MEDIUM4.8CVE-2024-39836Mattermost allows remote/synthetic users to create sessions, reset passwords in github.com/mattermost/mattermost-server
>= 9.9.0, < 9.9.2
MEDIUM4.8CVE-2024-39836Mattermost allows remote/synthetic users to create sessions, reset passwords in github.com/mattermost/mattermost-server
from 0
MEDIUM4.7CVE-2025-32093Mattermost Fails to Restrict Certain Operations on System Admins in github.com/mattermost/mattermost-server
>= 10.5.0, < 10.5.2
MEDIUM4.7CVE-2025-32093Mattermost Fails to Restrict Certain Operations on System Admins in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250227102013-aa4623a93199
MEDIUM4.7CVE-2024-8071Mattermost doesn't restrict which roles can promote a user as system admin in github.com/mattermost/mattermost-server
>= 9.9.0, < 9.9.2
MEDIUM4.7CVE-2024-8071Mattermost doesn't restrict which roles can promote a user as system admin in github.com/mattermost/mattermost-server
from 0
MEDIUM4.7CVE-2024-29221Mattermost Server Improper Access Control in github.com/mattermost/mattermost-server
from 0
MEDIUM4.7CVE-2024-29221Mattermost Server Improper Access Control in github.com/mattermost/mattermost-server
>= 8.1.0, < 8.1.11
MEDIUM4.6CVE-2026-27659Mattermost doesn't properly validate CSRF tokens
>= 11.4.0-rc1, < 11.4.1
MEDIUM4.6CVE-2024-46872Mattermost Server Path Traversal vulnerability that leads to Cross-Site Request Forgery
from 0, < 8.0.0-20240926115259-20ed58906adc
MEDIUM4.6CVE-2024-46872Mattermost Server Path Traversal vulnerability that leads to Cross-Site Request Forgery
from 0, < 8.0.0-20240926115259-20ed58906adc
MEDIUM4.6CVE-2024-40886Mattermost Cross-Site Request Forgery vulnerability in github.com/mattermost/mattermost-server
from 0
MEDIUM4.6CVE-2024-40886Mattermost Cross-Site Request Forgery vulnerability in github.com/mattermost/mattermost-server
>= 9.9.0, < 9.9.2
MEDIUM4.3CVE-2026-6339Mattermost doesn't validate the X-Requested-With header on the burn-on-read reveal endpoint
>= 11.5.0, < 11.5.2
MEDIUM4.3CVE-2026-28732Mattermost doesn't enforce slash command trigger-word uniqueness during command updates
>= 11.5.0, < 11.5.2
MEDIUM4.3CVE-2026-6343Mattermost doesn't check public/private permissions
>= 11.5.0, < 11.5.2
MEDIUM4.3CVE-2026-3637Mattermost doesn't check the create_post channel permission during post edit operations
>= 10.11.0, < 10.11.14
MEDIUM4.3CVE-2026-28759Mattermost does not verify remote cluster channel access when processing shared channel membership removals
>= 11.5.0, < 11.5.2
MEDIUM4.3CVE-2026-6340Mattermost doesn't validate 7zip archive structure before processing
>= 11.5.0, < 11.5.2
MEDIUM4.3CVE-2026-3115Mattermost allows authenticated guest users to enumerate user IDs outside their allowed visibility scope
>= 11.4.0, < 11.4.1
MEDIUM4.3CVE-2026-20719Mattermost: Authenticated DoS through failure to prevent rendering of external SVGs on link embeds
>= 11.4.0-rc1, < 11.4.1
MEDIUM4.3CVE-2026-24692Mattermost fails to properly enforce read permissions in search API endpoints
from 0, < 8.0.0-20260107142155-0481bd1fb045
MEDIUM4.3CVE-2026-2455Mattermost fails to canonicalize IPv4-mapped IPv6 addresses before reserved IP validation
from 0, < 8.0.0-20260129133647-5d787969c2d5
MEDIUM4.3CVE-2026-24692Mattermost fails to properly enforce read permissions in search API endpoints
from 0, < 8.0.0-20260107142155-0481bd1fb045
MEDIUM4.3CVE-2026-2455Mattermost fails to canonicalize IPv4-mapped IPv6 addresses before reserved IP validation
from 0, < 8.0.0-20260129133647-5d787969c2d5
MEDIUM4.3CVE-2026-21386Mattermost fails to use consistent error responses when handling the /mute command
from 0, < 8.0.0-20260130144323-5bb5261c72fa
MEDIUM4.3CVE-2026-4265Mattermost fails to validate team-specific upload_file permissions
from 0, < 8.0.0-20260107144005-c7f6efdfb035
MEDIUM4.3CVE-2026-21386Mattermost fails to use consistent error responses when handling the /mute command
from 0, < 8.0.0-20260130144323-5bb5261c72fa
MEDIUM4.3CVE-2026-4265Mattermost fails to validate team-specific upload_file permissions
from 0, < 8.0.0-20260107144005-c7f6efdfb035
MEDIUM4.3CVE-2026-2458Mattermost allows a removed team member to enumerate all public channels within a private team
from 0, < 8.0.0-20260113182106-a18b80ba4c32
MEDIUM4.3CVE-2026-2463Mattermost fails to filter invite IDs based on user permissions
from 0, < 8.0.0-20260105134819-cc427af41b2a
MEDIUM4.3CVE-2026-2463Mattermost fails to filter invite IDs based on user permissions
from 0, < 8.0.0-20260105134819-cc427af41b2a
MEDIUM4.3CVE-2026-2578Mattermost fails to preserve the redacted state of burn-on-read posts during deletion
from 0, < 8.0.0-20260127062706-c6b205f0d770
MEDIUM4.3CVE-2026-2578Mattermost fails to preserve the redacted state of burn-on-read posts during deletion
from 0, < 8.0.0-20260127062706-c6b205f0d770
MEDIUM4.3CVE-2026-2458Mattermost allows a removed team member to enumerate all public channels within a private team
from 0, < 8.0.0-20260113182106-a18b80ba4c32
MEDIUM4.3CVE-2026-2457Mattermost allows attackers to spoof permalink embeds
from 0, < 8.0.0-20260123211116-9efe617be8b8
MEDIUM4.3CVE-2026-2457Mattermost allows attackers to spoof permalink embeds
from 0, < 8.0.0-20260123211116-9efe617be8b8
MEDIUM4.3CVE-2026-26246Mattermost fails to bound memory allocation when processing PSD image files
from 0, < 8.0.0-20260115183946-38b413a27604
MEDIUM4.3CVE-2026-25780Mattermost fails to bound memory allocation when processing DOC files
from 0, < 8.0.0-20260123215601-86797c508c44
MEDIUM4.3CVE-2026-26246Mattermost fails to bound memory allocation when processing PSD image files
from 0
MEDIUM4.3CVE-2026-25780Mattermost fails to bound memory allocation when processing DOC files
from 0, < 8.0.0-20260123215601-86797c508c44
MEDIUM4.3CVE-2026-25783Mattermost fails to properly validate User-Agent header tokens
from 0, < 8.0.0-20260129181235-1346cf529aef
MEDIUM4.3CVE-2026-25783Mattermost fails to properly validate User-Agent header tokens
from 0, < 8.0.0-20260129181235-1346cf529aef
MEDIUM4.3CVE-2025-14350Mattermost fails to properly validate team membership when processing channel mentions
from 0, < 8.0.0-20251209134645-761e56bb11cc
MEDIUM4.3CVE-2025-14350Mattermost fails to properly validate team membership when processing channel mentions
from 0, < 8.0.0-20251209134645-761e56bb11cc
MEDIUM4.3CVE-2025-13767Mattermost doesn't validate user channel membership when attaching Mattermost posts as comments to Jira issues
from 0
MEDIUM4.3CVE-2025-13767Mattermost doesn't validate user channel membership when attaching Mattermost posts as comments to Jira issues
from 0, < 8.0.0-20251121122154-b57c297c6d7
MEDIUM4.3CVE-2025-13324Mattermost has an Invite Token Replay Vulnerability via Channel Membership Manipulation in github.com/mattermost/mattermost
from 0, < 8.0.0-20251031095924-e7e23b94e006
MEDIUM4.3CVE-2025-13324Mattermost has an Invite Token Replay Vulnerability via Channel Membership Manipulation in github.com/mattermost/mattermost
from 0, < 8.0.0-20251031095924-e7e23b94e006
MEDIUM4.3CVE-2025-12756Mattermost fails to validate user permissions when deleting comments in Boards in github.com/mattermost/mattermost
from 0
MEDIUM4.3CVE-2025-12756Mattermost fails to validate user permissions when deleting comments in Boards in github.com/mattermost/mattermost
from 0, <= 8.0.0-20251013062617-7977e7e6dae3
MEDIUM4.3CVE-2025-12559Mattermost fails to sanitize team email addresses in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20251015091448-abbf01b9db45
MEDIUM4.3CVE-2025-12559Mattermost fails to sanitize team email addresses in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20251015091448-abbf01b9db45
MEDIUM4.3CVE-2025-11776Mattermost fails to properly restrict access to archived channel search API in github.com/mattermost/mattermost
from 0, < 8.0.0-20250815165020-c8d66301415d
MEDIUM4.3CVE-2025-11776Mattermost fails to properly restrict access to archived channel search API in github.com/mattermost/mattermost
from 0, < 8.0.0-20250815165020-c8d66301415d
MEDIUM4.3CVE-2025-41443Guest user can discover active public channels in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250822090405-e8c7e7d0252b
MEDIUM4.3CVE-2025-9078Mattermost makes Use of Weak Hash in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250718075842-cd87e5c87737
MEDIUM4.3CVE-2025-9078Mattermost makes Use of Weak Hash in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250718075842-cd87e5c87737
MEDIUM4.3CVE-2025-6465Mattermost Fails to Sanitize File Names in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250708173752-d6b35c41f0ae5
MEDIUM4.3CVE-2025-6465Mattermost Fails to Sanitize File Names in github.com/mattermost/mattermost-server
from 0
MEDIUM4.3CVE-2025-47870Mattermost Does Not Sanitize the Team Invite ID in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250708065844-b38e2eccda18
MEDIUM4.3CVE-2025-47870Mattermost Does Not Sanitize the Team Invite ID in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250708065844-b38e2eccda18
MEDIUM4.3CVE-2025-47871Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250513065225-4ae5d647fb88
MEDIUM4.3CVE-2025-47871Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250513065225-4ae5d647fb88
MEDIUM4.3CVE-2025-3227Mattermost allows unauthorized channel member management through playbook runs in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250520060012-d0380305ef7a
MEDIUM4.3CVE-2025-3228Mattermost allows an unauthorized Guest user access to Playbook in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250520060012-d0380305ef7a
MEDIUM4.3CVE-2025-3227Mattermost allows unauthorized channel member management through playbook runs in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250520060012-d0380305ef7a
MEDIUM4.3CVE-2025-3228Mattermost allows an unauthorized Guest user access to Playbook in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250520060012-d0380305ef7a
MEDIUM4.3CVE-2025-2527Mattermost Fails to Verify User's Permissions When Accessing Groups in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250411064244-844447fbd57c
MEDIUM4.3CVE-2025-2527Mattermost Fails to Verify User's Permissions When Accessing Groups in github.com/mattermost/mattermost-server
>= 10.5.0, < 10.5.3
MEDIUM4.3CVE-2025-3446Mattermost Fails to Validate Team Invite Permissions in github.com/mattermost/mattermost-server
>= 10.6.0, < 10.6.2
MEDIUM4.3CVE-2025-3446Mattermost Fails to Validate Team Invite Permissions in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250415054241-76ab3867b785
MEDIUM4.3CVE-2025-2564Mattermost Incorrect Authorization vulnerability
>= 10.5.0, < 10.5.2
MEDIUM4.3CVE-2025-2564Mattermost Incorrect Authorization vulnerability
from 0, < 8.0.0-20250314142426-c049748b8863
MEDIUM4.3CVE-2025-27571Mattermost Incorrect Authorization vulnerability
from 0, < 8.0.0-20250218121836-2b5275d87136
MEDIUM4.3CVE-2025-27571Mattermost Incorrect Authorization vulnerability
>= 10.5.0, < 10.5.2
MEDIUM4.3CVE-2025-30179Mattermost Fails to Enforce Certain Search APIs in github.com/mattermost/mattermost-server
from 0
MEDIUM4.3CVE-2025-30179Mattermost Fails to Enforce Certain Search APIs in github.com/mattermost/mattermost-server
>= 10.4.0, < 10.4.3
MEDIUM4.3CVE-2025-24920Mattermost Fails to Restrict Bookmark Creation and Updates in Archived Channels in github.com/mattermost/mattermost-server
from 0
MEDIUM4.3CVE-2025-24920Mattermost Fails to Restrict Bookmark Creation and Updates in Archived Channels in github.com/mattermost/mattermost-server
>= 10.4.0, < 10.4.3
MEDIUM4.3CVE-2025-25274Mattermost Fails to Restrict Command Execution in Archived Channels in github.com/mattermost/mattermost-server
>= 10.4.0, < 10.4.3
MEDIUM4.3CVE-2025-25274Mattermost Fails to Restrict Command Execution in Archived Channels in github.com/mattermost/mattermost-server
from 0
MEDIUM4.3CVE-2025-1472Mattermost Fails to Properly Perform Viewer Role Authorization in github.com/mattermost/mattermost-server
>= 9.11.0, < 9.11.9
MEDIUM4.3CVE-2025-1472Mattermost Fails to Properly Perform Viewer Role Authorization in github.com/mattermost/mattermost-server
from 0
MEDIUM4.3CVE-2025-24526Mattermost fails to restrict channel export of archived channels in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250110161910-96195f1bd746
MEDIUM4.3CVE-2025-24526Mattermost fails to restrict channel export of archived channels in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250110161910-96195f1bd746
MEDIUM4.3CVE-2025-20033Mattermost Improper Validation of Specified Type of Input vulnerability
from 0, < 8.0.0-20250102081831-64c566a8280b
MEDIUM4.3CVE-2025-20033Mattermost Improper Validation of Specified Type of Input vulnerability
>= 9.11.0, < 9.11.16
MEDIUM4.3CVE-2024-10241Mattermost Server allows user to get private channel names in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20240813135334-8f3a13122f55
MEDIUM4.3CVE-2024-10241Mattermost Server allows user to get private channel names in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20240813135334-8f3a13122f55
MEDIUM4.3CVE-2024-50052Mattermost server allows authenticated user to delete arbitrary post in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20240926115259-20ed58906adc
MEDIUM4.3CVE-2024-50052Mattermost server allows authenticated user to delete arbitrary post in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20240926115259-20ed58906adc
MEDIUM4.3CVE-2024-47401Mattermost Server vulnerable to application crash from attacker-generated large response in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20240926115259-20ed58906adc
MEDIUM4.3CVE-2024-47401Mattermost Server vulnerable to application crash from attacker-generated large response in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20240926115259-20ed58906adc
MEDIUM4.3CVE-2024-43780Mattermost allows guest user with read access to upload files to a channel in github.com/mattermost/mattermost-server
>= 9.5.0, < 9.5.8
MEDIUM4.3CVE-2024-43780Mattermost allows guest user with read access to upload files to a channel in github.com/mattermost/mattermost-server
from 0
MEDIUM4.3CVE-2024-32939Mattermost doesn't redact remote users' original email addresses in github.com/mattermost/mattermost-server
>= 9.9.0, < 9.9.2
MEDIUM4.3CVE-2024-32939Mattermost doesn't redact remote users' original email addresses in github.com/mattermost/mattermost-server
from 0
MEDIUM4.3CVE-2024-39839Mattermost allows a user on a remote to set their remote username prop to an arbitrary string in github.com/mattermost/mattermost-server
>= 9.5.0, < 9.5.7
MEDIUM4.3CVE-2024-39839Mattermost allows a user on a remote to set their remote username prop to an arbitrary string in github.com/mattermost/mattermost-server
from 0
MEDIUM4.3CVE-2024-28949Mattermost Server doesn't limit the number of user preferences in github.com/mattermost/mattermost-server
>= 8.1.0, < 8.1.11
MEDIUM4.3CVE-2024-28949Mattermost Server doesn't limit the number of user preferences in github.com/mattermost/mattermost-server
from 0
MEDIUM4.3CVE-2024-1942Mattermost allows attackers access to posts in channels they are not a member of in github.com/mattermost/mattermost-server
from 0
MEDIUM4.3CVE-2024-1953Mattermost fails to limit the number of role names in github.com/mattermost/mattermost-server
from 0
MEDIUM4.3CVE-2024-1942Mattermost allows attackers access to posts in channels they are not a member of in github.com/mattermost/mattermost-server
>= 9.3.0, < 9.3.1
MEDIUM4.3CVE-2024-1953Mattermost fails to limit the number of role names in github.com/mattermost/mattermost-server
>= 9.4.0, < 9.4.2
MEDIUM4.3CVE-2024-1887Mattermost post fetching without auditing in compliance export
from 0
MEDIUM4.3CVE-2024-1888Mattermost fails to check the "invite_guest" permission in github.com/mattermost/mattermost-server
>= 9.4.0, < 9.4.2
MEDIUM4.3CVE-2024-24988Mattermost denial of service through long emoji value in github.com/mattermost/mattermost-server
from 0
MEDIUM4.3CVE-2024-23493Mattermost leaks details of AD/LDAP groups of a teams
from 0
MEDIUM4.3CVE-2024-24988Mattermost denial of service through long emoji value in github.com/mattermost/mattermost-server
>= 9.3.0, < 9.3.1
MEDIUM4.3CVE-2024-23493Mattermost leaks details of AD/LDAP groups of a teams
>= 9.4.0, < 9.4.2
MEDIUM4.3CVE-2024-1888Mattermost fails to check the "invite_guest" permission in github.com/mattermost/mattermost-server
from 0
MEDIUM4.3CVE-2024-1887Mattermost post fetching without auditing in compliance export
>= 9.3.0, < 9.3.1
MEDIUM4.3CVE-2024-1402Mattermost vulnerable to denial of service via large number of emoji reactions in github.com/mattermost/mattermost-server
from 0
MEDIUM4.3CVE-2024-1402Mattermost vulnerable to denial of service via large number of emoji reactions in github.com/mattermost/mattermost-server
from 0, < 8.1.8
MEDIUM4.3CVE-2023-47858Mattermost viewing archived public channels permissions vulnerability
from 0
MEDIUM4.3CVE-2023-48732Mattermost notified all users in the channel when using WebSockets to respond individually
from 0, < 8.1.7
MEDIUM4.3CVE-2023-47858Mattermost viewing archived public channels permissions vulnerability
from 0, < 8.1.1
MEDIUM4.3CVE-2023-48732Mattermost notified all users in the channel when using WebSockets to respond individually
from 0
MEDIUM4.3CVE-2023-6202Mattermost Improper Access Control vulnerability
>= 9.1.0, < 9.1.1
MEDIUM4.3CVE-2023-48268Mattermost Uncontrolled Resource Consumption vulnerability
>= 9.1.0, < 9.1.1
MEDIUM4.3CVE-2023-45223Mattermost Exposure of Sensitive Information to an Unauthorized Actor vulnerability
from 0, < 8.1.4
MEDIUM4.3CVE-2023-47865Mattermost Improper Access Control vulnerability
from 0, < 8.1.4
MEDIUM4.3CVE-2023-47168Mattermost Open Redirect vulnerability
>= 9.1.0, < 9.1.1
MEDIUM4.3CVE-2023-43754Mattermost Exposure of Sensitive Information to an Unauthorized Actor vulnerability
>= 9.1.0, < 9.1.1
MEDIUM4.3CVE-2023-40703Mattermost Uncontrolled Resource Consumption vulnerability
>= 9.1.0, < 9.1.1
MEDIUM4.3CVE-2023-5967Mattermost denial of service vulnerability
>= 8.0.0, < 8.0.4
MEDIUM4.3CVE-2023-5194Mattermost Incorrect Authorization vulnerability
>= 8.1.0, < 8.1.1
MEDIUM4.2CVE-2025-2571Mattermost fails to clear Google OAuth credentials in github.com/mattermost/mattermost-server
>= 10.7.0-rc1, < 10.7.1
MEDIUM4.2CVE-2025-2571Mattermost fails to clear Google OAuth credentials in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250414095146-04676582cdd2
MEDIUM4.1CVE-2025-64641Mattermost doesn't verify that post actions invoking `/share-issue-publicly` were created by the Jira plugin
from 0, < 8.0.0-20251121122154-b57c297c6d7
MEDIUM4.1CVE-2025-64641Mattermost doesn't verify that post actions invoking `/share-issue-publicly` were created by the Jira plugin
from 0
MEDIUM4.1CVE-2025-4573Mattermost allows authenticated administrator to execute LDAP search filter injection in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250414112942-77892234944b
MEDIUM4.1CVE-2025-4573Mattermost allows authenticated administrator to execute LDAP search filter injection in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250414112942-77892234944b
MEDIUM4.1CVE-2024-41162Mattermost allows a remote actor to make an arbitrary local channel read-only in github.com/mattermost/mattermost-server
from 0
MEDIUM4.1CVE-2024-41162Mattermost allows a remote actor to make an arbitrary local channel read-only in github.com/mattermost/mattermost-server
>= 9.5.0, < 9.5.7
LOW3.8CVE-2026-3495Mattermost doesn't escape some variables that could contain malicious content during error page composition
>= 10.11.0, < 10.11.14
LOW3.8CVE-2025-14573Mattermost fails to enforce invite permissions when updating team settings
from 0, < 8.0.0-20251215190648-6404ab29acc0
LOW3.8CVE-2025-14573Mattermost fails to enforce invite permissions when updating team settings
from 0, < 8.0.0-20251215190648-6404ab29acc0
LOW3.8CVE-2025-53971Mattermost Fails to Properly Validate Team Role Modification in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250721095846-c602a4a78e1f
LOW3.8CVE-2025-53971Mattermost Fails to Properly Validate Team Role Modification in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250721095846-c602a4a78e1f
LOW3.8CVE-2025-22449Mattermost Incorrect Authorization vulnerability
from 0, < 8.0.0-20250102081831-64c566a8280b
LOW3.8CVE-2025-22449Mattermost Incorrect Authorization vulnerability
>= 9.11.0, < 9.11.6
LOW3.8CVE-2024-39837Mattermost did not properly restrict channel creation in github.com/mattermost/mattermost-server
from 0
LOW3.8CVE-2024-39837Mattermost did not properly restrict channel creation in github.com/mattermost/mattermost-server
>= 9.5.0, < 9.5.7
LOW3.7CVE-2026-4273Mattermost doesn't validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation
>= 11.5.0, < 11.5.2
LOW3.7CVE-2023-50333Mattermost allows demoted guests to change group names
from 0
LOW3.7CVE-2023-50333Mattermost allows demoted guests to change group names
from 0, < 8.1.7
LOW3.7CVE-2023-7113Mattermost Cross-site Scripting vulnerability in github.com/mattermost/mattermost-server
from 0
LOW3.7CVE-2023-7113Mattermost Cross-site Scripting vulnerability in github.com/mattermost/mattermost-server
from 0, < 8.1.7
LOW3.5CVE-2026-6333Mattermost doesn't validate the Host header when constructing response URLs for custom slash command
>= 11.5.0, < 11.5.2
LOW3.5CVE-2025-47700Mattermost Server SSRF Vulnerability via the Agents Plugin in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250814075248-83a37a861d3c
LOW3.5CVE-2025-49810Mattermost Lack of Access Control Validation in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250721095846-c602a4a78e1f
LOW3.5CVE-2025-49810Mattermost Lack of Access Control Validation in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250721095846-c602a4a78e1f
LOW3.5CVE-2025-47700Mattermost Server SSRF Vulnerability via the Agents Plugin in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250814075248-83a37a861d3c
LOW3.5CVE-2025-22445Mattermost has Improper Check for Unusual or Exceptional Conditions
>= 10.0, < 10.3.0
LOW3.5CVE-2025-22445Mattermost has Improper Check for Unusual or Exceptional Conditions
from 0, < 8.0.0-20250102081831-64c566a8280b
LOW3.5CVE-2024-10214Mattermost incorrectly issues two sessions when using desktop SSO
from 0, < 8.0.0-20240821220019-0d6b1070a26f
LOW3.5CVE-2024-10214Mattermost incorrectly issues two sessions when using desktop SSO
from 0, < 8.0.0-20240821220019-0d6b1070a26f
LOW3.3CVE-2025-27715Mattermost fail to prompt for explicit approval before adding a team admin to a private channel in github.com/mattermost/mattermost-server
>= 9.11.0, < 9.11.9
LOW3.3CVE-2025-27715Mattermost fail to prompt for explicit approval before adding a team admin to a private channel in github.com/mattermost/mattermost-server
from 0
LOW3.1CVE-2026-4286Mattermost doesn't check if {{team_id}} was being changed when updating playbooks
>= 11.5.0, < 11.5.2
LOW3.1CVE-2026-6334Mattermost doesn't enforce client identity binding during the OAuth authorization code redemption flow
>= 11.5.0, < 11.5.2
LOW3.1CVE-2026-22545Mattermost fails to validate user's authentication method when processing account auth type switch
from 0, < 8.0.0-20260127144908-ced9a56e3988
LOW3.1CVE-2026-22545Mattermost fails to validate user's authentication method when processing account auth type switch
from 0, < 8.0.0-20260127144908-ced9a56e3988
LOW3.1CVE-2025-62690Mattermost has missing redirect URL validation in github.com/mattermost/mattermost
>= 8.0.0-20250721062209-4952acea88ce, < 8.0.0-20251016131338-dad6bd7a1509
LOW3.1CVE-2025-62690Mattermost has missing redirect URL validation in github.com/mattermost/mattermost
>= 8.0.0-20250721062209-4952acea88ce, < 8.0.0-20251016131338-dad6bd7a1509
LOW3.1CVE-2025-13870Mattermost fails to validate user permissions in Boards in github.com/mattermost/mattermost
from 0, < 8.0.0-20250905150616-ba86dfc5876b
LOW3.1CVE-2025-13870Mattermost fails to validate user permissions in Boards in github.com/mattermost/mattermost
from 0, < 8.0.0-20251212204551-54f2e9b4afd5
LOW3.1CVE-2025-41436Mattermost allows regular users to access archived channel content and files in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250815165020-c8d66301415d
LOW3.1CVE-2025-41436Mattermost allows regular users to access archived channel content and files in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250815165020-c8d66301415d
LOW3.1CVE-2025-11777Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost
from 0, < 8.0.0-20250905150616-ba86dfc5876b
LOW3.1CVE-2025-11777Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost
from 0, < 8.0.0-20251212204551-54f2e9b4afd5
LOW3.1CVE-2025-54499Mattermost has an Observable Timing Discrepancy vulnerability in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250728063359-38208b8f065f
LOW3.1CVE-2025-10545Mattermost has an Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250820115038-ff30b84049f0
LOW3.1CVE-2025-54499Mattermost has an Observable Timing Discrepancy vulnerability in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250728063359-38208b8f065f
LOW3.1CVE-2025-10545Mattermost has an Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250820115038-ff30b84049f0
LOW3.1CVE-2025-9081Mattermost boards plugin fails to restrict download access to files in github.com/mattermost/mattermost-plugin-boards
from 0, < 8.0.0-20250721095935-11c36f4d1e44
LOW3.1CVE-2025-9081Mattermost boards plugin fails to restrict download access to files in github.com/mattermost/mattermost-plugin-boards
from 0, < 8.0.0-20250721095935-11c36f4d1e44
LOW3.1CVE-2025-9084Mattermost Open Redirect vulnerability in github.com/mattermost/mattermost-server
from 0, < 8.0.0-202508080704-39bd251fe4f600
LOW3.1CVE-2025-9084Mattermost Open Redirect vulnerability in github.com/mattermost/mattermost-server
from 0
LOW3.1CVE-2025-4128Mattermost allows guest users to view information about public teams they are not members of in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250422131222-701ddc896a10
LOW3.1CVE-2025-4128Mattermost allows guest users to view information about public teams they are not members of in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250422131222-701ddc896a10
LOW3.1CVE-2025-1792Mattermost fails to properly enforce access controls for guest users in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250414110750-c23f44fe8ed0
LOW3.1CVE-2025-3611Mattermost fails to properly enforce access control restrictions for System Manager roles
from 0, < 8.0.0-20250414154356-6f33b721de76
LOW3.1CVE-2025-3611Mattermost fails to properly enforce access control restrictions for System Manager roles
>= 10.6.0-rc1, < 10.7.1
LOW3.1CVE-2025-1792Mattermost fails to properly enforce access controls for guest users in github.com/mattermost/mattermost-server
>= 10.6.0-rc1, < 10.7.1
LOW3.1CVE-2025-41423Mattermost Playbooks fails to properly validate permissions
from 0
LOW3.1CVE-2025-41423Mattermost Playbooks fails to properly validate permissions
from 0, < 8.0.0-20250218121836-2b5275d87136
LOW3.1CVE-2025-24839Mattermost Incorrect Authorization vulnerability
>= 10.5.0, < 10.5.2
LOW3.1CVE-2025-24839Mattermost Incorrect Authorization vulnerability
from 0, < 8.0.0-20250218121836-2b5275d87136
LOW3.1CVE-2025-2424Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250213231113-68c11e9ecb71
LOW3.1CVE-2025-2424Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server
>= 10.5.0, < 10.5.2
LOW3.1CVE-2025-1412Mattermost fails to invalidate all active sessions when converting a user to a bot in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20241217145510-faa7e4f2ea0c
LOW3.1CVE-2025-1412Mattermost fails to invalidate all active sessions when converting a user to a bot in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20241217145510-faa7e4f2ea0c
LOW3.1CVE-2024-21848Mattermost Server Improper Access Control
from 0
LOW3.1CVE-2024-21848Mattermost Server Improper Access Control
from 0, < 8.1.11
LOW3.1CVE-2024-28053Mattermost Server Resource Exhaustion in github.com/mattermost/mattermost-server
from 0, < 0.0.0-20240209181221-674f549daf0e
LOW3.1CVE-2024-28053Mattermost Server Resource Exhaustion in github.com/mattermost/mattermost-server
from 0
LOW3.1CVE-2024-1952Mattermost incorrectly allows access individual posts
>= 9.0.0, < 9.4.0
LOW3.1CVE-2024-1952Mattermost incorrectly allows access individual posts
from 0
LOW3.1CVE-2024-23488Mattermost fails to properly restrict the access of files attached to posts in github.com/mattermost/mattermost-server
from 0
LOW3.1CVE-2024-23488Mattermost fails to properly restrict the access of files attached to posts in github.com/mattermost/mattermost-server
>= 9.0.0, < 9.4.2
LOW3.1CVE-2024-24776Mattermost fails to check the required permissions
from 0, < 8.1.8
LOW3.1CVE-2024-24776Mattermost fails to check the required permissions
from 0
LOW3.1CVE-2023-35075Mattermost Injection vulnerability
from 0, < 8.1.4
LOW3.0CVE-2025-13352Mattermost GitHub Plugin Bot Identity Validation Bypass Allows Arbitrary GitHub Reaction Injection in github.com/mattermost/mattermost
from 0
LOW3.0CVE-2025-13352Mattermost GitHub Plugin Bot Identity Validation Bypass Allows Arbitrary GitHub Reaction Injection in github.com/mattermost/mattermost
>= 10.11.0-rc1, < 10.11.7-0.20251106103514-3b05384dd014
LOW3.0CVE-2025-55074Mattermost allows other users to determine when users had read channels via channel member objects in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250905150616-ba86dfc5876b6
LOW3.0CVE-2025-55074Mattermost allows other users to determine when users had read channels via channel member objects in github.com/mattermost/mattermost-server
from 0
LOW3.0CVE-2025-31363Mattermost doesn't restrict domains LLM can request to contact upstream
from 0, < 8.0.0-20250218121836-2b5275d87136
LOW3.0CVE-2025-31363Mattermost doesn't restrict domains LLM can request to contact upstream
>= 10.5.0, < 10.5.1
LOW2.7CVE-2025-2570Mattermost Fails to Check User Access to `ExperimentalSettings` in github.com/mattermost/mattermost-server
>= 10.5.0, < 10.5.3
LOW2.7CVE-2025-2570Mattermost Fails to Check User Access to `ExperimentalSettings` in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250411064244-844447fbd57c
LOW2.7CVE-2025-24866Mattermost Fails to Enforce Proper Access Controls on `/api/v4/audits` Endpoint
from 0
LOW2.7CVE-2025-24866Mattermost Fails to Enforce Proper Access Controls on `/api/v4/audits` Endpoint
>= 9.11.0, < 9.11.9
LOW2.7CVE-2024-40884Mattermost allows team admin user without "Add Team Members" permission to disable invite URL in github.com/mattermost/mattermost-server
from 0
LOW2.7CVE-2024-40884Mattermost allows team admin user without "Add Team Members" permission to disable invite URL in github.com/mattermost/mattermost-server
>= 9.5.0, < 9.5.8
LOW2.7CVE-2024-41926Mattermost allows remote actor to set arbitrary RemoteId values for synced users in github.com/mattermost/mattermost-server
>= 9.5.0, < 9.5.7
LOW2.7CVE-2024-41926Mattermost allows remote actor to set arbitrary RemoteId values for synced users in github.com/mattermost/mattermost-server
from 0
LOW2.7CVE-2024-29977Mattermost failed to properly validate synced reactions in github.com/mattermost/mattermost-server
from 0
LOW2.7CVE-2024-29977Mattermost failed to properly validate synced reactions in github.com/mattermost/mattermost-server
>= 9.5.0, < 9.5.7
LOW2.7CVE-2023-5193Mattermost Incorrect Authorization vulnerability
>= 8.1.0, < 8.1.1
LOW2.7CVE-2023-5159Mattermost Incorrect Authorization vulnerability
>= 8.1.0, < 8.1.1
LOW2.6CVE-2024-1949Mattermost race condition in github.com/mattermost/mattermost-server
from 0
LOW2.6CVE-2024-1949Mattermost race condition in github.com/mattermost/mattermost-server
>= 9.0.0, < 9.4.2
LOW2.2CVE-2025-6227Mattermost has Insufficiently Protected Credentials in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250612074655-8f8612c63783
LOW2.2CVE-2025-6227Mattermost has Insufficiently Protected Credentials in github.com/mattermost/mattermost-server
from 0, < 8.0.0-20250612074655-8f8612c63783
LOW2.2CVE-2025-27538Mattermost Missing Authentication for Critical Function
>= 10.5.0, < 10.5.2
LOW2.2CVE-2025-27538Mattermost Missing Authentication for Critical Function
from 0, < 8.0.0-20250314142426-c049748b8863