pkg:Go/github.com/mattermost/mattermost-server

402 total CVEsCRITICAL20HIGH38MEDIUM244LOW77

✅ Check your installed version

All known vulnerabilities

CRITICAL9.9CVE-2025-12421Mattermost fails to to verify the token used during code exchange in github.com/mattermost/mattermost-server
>= 11.0.0, < 11.0.3
CRITICAL9.9CVE-2025-12421Mattermost fails to to verify the token used during code exchange in github.com/mattermost/mattermost-server
from 0
CRITICAL9.9CVE-2025-12419Mattermost fails to properly validate OAuth state tokens during OpenID Connect authentication in github.com/mattermost/mattermost-server
from 0
CRITICAL9.9CVE-2025-12419Mattermost fails to properly validate OAuth state tokens during OpenID Connect authentication in github.com/mattermost/mattermost-server
>= 10.12.0, < 10.12.2
CRITICAL9.9CVE-2025-4981Mattermost allows authenticated users to write files to arbitrary locations in github.com/mattermost/mattermost-server
from 0, < 0.0.0-20250519205859-65aec10162f6
CRITICAL9.9CVE-2025-4981Mattermost allows authenticated users to write files to arbitrary locations in github.com/mattermost/mattermost-server
from 0, < 0.0.0-20250519205859-65aec10162f6, >= 9.11.0+incompatible, < 9.11.16+incompatible, >= 10.5.0+incompatible, < 10.5.6+incompatible, >= 10.6.0+incompatible, < 10.6.6+incompatible, >= 10.7.0+incompatible, < 10.7.3+incompatible, >= 10.8.0+incompatible, < 10.8.1+incompatible
CRITICAL9.9CVE-2025-25279Mattermost allows reading arbitrary files related to importing boards
>= 9.11.0-rc1+incompatible, < 9.11.8+incompatible, >= 10.2.0-rc1+incompatible, < 10.2.3+incompatible, >= 10.3.0-rc1+incompatible, < 10.3.3+incompatible, >= 10.4.0-rc1+incompatible, < 10.4.2+incompatible
CRITICAL9.9CVE-2025-20051Mattermost allows reading arbitrary files
>= 9.11.0-rc1+incompatible, < 9.11.8+incompatible, >= 10.2.0-rc1+incompatible, < 10.2.3+incompatible, >= 10.3.0-rc1+incompatible, < 10.3.3+incompatible, >= 10.4.0-rc1+incompatible, < 10.4.2+incompatible
CRITICAL9.8CVE-2017-18915Mattermost Server server restarts may provide attackers with API access in github.com/mattermost/mattermost-server
>= 3.7.0+incompatible, < 3.7.5+incompatible, >= 3.8.0+incompatible, < 3.8.2+incompatible
CRITICAL9.8CVE-2017-18915Mattermost Server server restarts may provide attackers with API access in github.com/mattermost/mattermost-server
from 0, < 3.6.7-0.20170420152529-0968e4079e0a
CRITICAL9.8CVE-2017-18908Mattermost Server password reset email requests can be sent to attacker-provided email addresses
from 0, < 3.9.1-rc1+incompatible, >= 3.10.0+incompatible, < 3.10.1+incompatible
CRITICAL9.8CVE-2017-18900Mattermost Server is vulnerable CSV Injection in github.com/mattermost/mattermost-server
from 0, < 3.10.3+incompatible, >= 4.0.0+incompatible, < 4.0.3+incompatible
CRITICAL9.8CVE-2017-18900Mattermost Server is vulnerable CSV Injection in github.com/mattermost/mattermost-server
from 0, < 3.10.3
CRITICAL9.8CVE-2017-18908Mattermost Server password reset email requests can be sent to attacker-provided email addresses
from 0, < 3.9.1-rc1
CRITICAL9.8CVE-2017-18888Mattermost Server is vulnerable to SQL Injection when executing multiple POST requests in github.com/mattermost/mattermost-server
from 0, < 4.1.2+incompatible, >= 4.2.0-rc1+incompatible, < 4.2.1+incompatible, >= 4.3.0-rc1+incompatible, < 4.3.0+incompatible
CRITICAL9.8CVE-2017-18888Mattermost Server is vulnerable to SQL Injection when executing multiple POST requests in github.com/mattermost/mattermost-server
from 0, < 4.1.2
CRITICAL9.8CVE-2017-18885Mattermost Server allows attackers to gain privileges by accessing unintended API endpoints with users' credentials in github.com/mattermost/mattermost-server
from 0, < 4.1.2
CRITICAL9.8CVE-2017-18885Mattermost Server allows attackers to gain privileges by accessing unintended API endpoints with users' credentials in github.com/mattermost/mattermost-server
from 0, < 4.1.2+incompatible, >= 4.2.0-rc1+incompatible, < 4.2.1+incompatible, >= 4.3.0-rc1+incompatible, < 4.3.0+incompatible
CRITICAL9.1CVE-2017-18911Mattermost Server has X.509 Improper Certificate Validation
from 0, < 3.6.7-rc1+incompatible, >= 3.7.0+incompatible, < 3.7.5+incompatible, >= 3.8.0+incompatible, < 3.8.2+incompatible
CRITICAL9.1CVE-2017-18911Mattermost Server has X.509 Improper Certificate Validation
from 0, < 3.6.7-rc1
HIGH8.8CVE-2017-18903Mattermost Server vulnerable to CSRF if CORS is enabled in github.com/mattermost/mattermost-server
from 0, < 3.9.2
HIGH8.8CVE-2017-18903Mattermost Server vulnerable to CSRF if CORS is enabled in github.com/mattermost/mattermost-server
from 0, < 3.9.2+incompatible, >= 3.10.0+incompatible, < 3.10.2+incompatible
HIGH8.8CVE-2017-18886Mattermost Server does not properly restrict use of slash commands in github.com/mattermost/mattermost-server
from 0, < 4.1.2
HIGH8.8CVE-2017-18886Mattermost Server does not properly restrict use of slash commands in github.com/mattermost/mattermost-server
from 0, < 4.1.2+incompatible, >= 4.2.0-rc1+incompatible, < 4.2.1+incompatible, >= 4.3.0-rc1+incompatible, < 4.3.0+incompatible
HIGH8.8CVE-2022-1384Insecure plugin handling in Mattermost in github.com/mattermost/mattermost-server
from 0
HIGH8.7CVE-2026-6346Mattermost doesn't sanitize sensitive configuration fields before including them in support packet generation
from 0, < 5.3.2-0.20260326202606-fac92f4a71f3
HIGH8.7CVE-2024-39777Mattermost allows unsolicited invites to expose access to local channels in github.com/mattermost/mattermost-server
>= 9.5.0+incompatible, < 9.5.7+incompatible, >= 9.7.0+incompatible, < 9.7.6+incompatible, >= 9.8.0+incompatible, < 9.8.1+incompatible, >= 9.9.0+incompatible, < 9.9.1+incompatible
HIGH8.7CVE-2024-39274Mattermost failed to properly validate that the channel that comes from the sync message is a shared channel in github.com/mattermost/mattermost-server
>= 9.5.0+incompatible, < 9.5.7+incompatible, >= 9.7.0+incompatible, < 9.7.6+incompatible, >= 9.8.0+incompatible, < 9.8.2+incompatible, >= 9.9.0+incompatible, < 9.9.1+incompatible
HIGH8.1CVE-2025-58073Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server
>= 10.11.0, < 10.11.2
HIGH8.1CVE-2025-58075Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server
>= 10.11.0, < 10.11.2
HIGH8.1CVE-2025-58073Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server
>= 10.5.0+incompatible, < 10.5.11+incompatible, >= 10.10.0+incompatible, < 10.10.3+incompatible, >= 10.11.0+incompatible, < 10.11.2+incompatible
HIGH8.1CVE-2025-58075Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server
>= 10.5.0+incompatible, < 10.5.11+incompatible, >= 10.10.0+incompatible, < 10.10.3+incompatible, >= 10.11.0+incompatible, < 10.11.2+incompatible
HIGH8.1CVE-2017-18906Mattermost Server vulnerable to user account takeover when Single Sign-On OAuth2 is used in github.com/mattermost/mattermost-server
from 0, < 3.9.2-0.20170714134023-b17fca0d5ee7
HIGH8.1CVE-2017-18906Mattermost Server vulnerable to user account takeover when Single Sign-On OAuth2 is used in github.com/mattermost/mattermost-server
>= 3.10.0+incompatible, < 3.10.2+incompatible
HIGH8.1CVE-2017-18894Mattermost Server has intermittent Authorization bypass for resource-owners in github.com/mattermost/mattermost-server
from 0, < 4.0.5
HIGH8.1CVE-2017-18894Mattermost Server has intermittent Authorization bypass for resource-owners in github.com/mattermost/mattermost-server
from 0, < 4.0.5+incompatible, >= 4.1.0+incompatible, < 4.1.1+incompatible, >= 4.2.0-rc1+incompatible, < 4.2.0+incompatible
HIGH8.0CVE-2025-9079Mattermost Path Traversal vulnerability in github.com/mattermost/mattermost-server
>= 9.11.0+incompatible, < 9.11.18+incompatible, >= 10.5.0+incompatible, < 10.5.9+incompatible, >= 10.8.0+incompatible, < 10.8.4+incompatible, >= 10.9.0+incompatible, < 10.9.4+incompatible, >= 10.10.0+incompatible, < 10.10.2+incompatible
HIGH8.0CVE-2025-9079Mattermost Path Traversal vulnerability in github.com/mattermost/mattermost-server
>= 10.8.0, < 10.8.4
HIGH7.6CVE-2026-6347Mattermost doesn't sanitize sensitive configuration fields in the Mattermost Calls plugin
>= 11.5.0, < 11.5.2
HIGH7.6CVE-2025-9072Mattermost Open Redirect vulnerability in github.com/mattermost/mattermost-server
>= 10.5.0+incompatible, < 10.5.10+incompatible, >= 10.9.0+incompatible, < 10.9.5+incompatible, >= 10.10.0+incompatible, < 10.10.2+incompatible
HIGH7.6CVE-2025-9072Mattermost Open Redirect vulnerability in github.com/mattermost/mattermost-server
>= 10.10.0, < 10.10.2
HIGH7.5CVE-2026-24458Mattermost fails to properly handle very long passwords
from 0, < 5.3.2-0.20260129164748-7201f42d955f
HIGH7.5CVE-2026-24458Mattermost fails to properly handle very long passwords
>= 10.11.0-rc1+incompatible, < 10.11.11+incompatible, >= 11.2.0-rc1+incompatible, < 11.2.3+incompatible, >= 11.3.0-rc1+incompatible, < 11.3.1+incompatible
HIGH7.5CVE-2025-25068Mattermost Fails to Enforce MFA on Plugin Endpoints in github.com/mattermost/mattermost-server
>= 9.11.0+incompatible, < 9.11.9+incompatible, >= 10.3.0+incompatible, < 10.3.4+incompatible, >= 10.4.0+incompatible, < 10.4.3+incompatible, >= 10.5.0+incompatible, < 10.5.1+incompatible
HIGH7.5CVE-2018-21258Mattermost Server is vulnerable to a Denial of Service attack through `invite_people` command in github.com/mattermost/mattermost-server
from 0, < 5.1.0
HIGH7.5CVE-2018-21258Mattermost Server is vulnerable to a Denial of Service attack through `invite_people` command in github.com/mattermost/mattermost-server
from 0
HIGH7.5CVE-2017-18909Mattermost Server SAML implementation does not require encryption or signature verification as default in github.com/mattermost/mattermost-server
from 0, < 3.8.1-0.20170504181128-4f074fed0d65
HIGH7.5CVE-2017-18909Mattermost Server SAML implementation does not require encryption or signature verification as default in github.com/mattermost/mattermost-server
from 0
HIGH7.5CVE-2017-18871Mattermost Server vulnerable to Denial of Service through `@` character prefix inserted into JavaScript field names in github.com/mattermost/mattermost-server
from 0, < 4.2.2
HIGH7.5CVE-2017-18871Mattermost Server vulnerable to Denial of Service through `@` character prefix inserted into JavaScript field names in github.com/mattermost/mattermost-server
from 0, < 4.2.2+incompatible, >= 4.3.0-rc1+incompatible, < 4.3.4+incompatible, >= 4.4.0-rc1+incompatible, < 4.4.5+incompatible, >= 4.5.0-rc1+incompatible, < 4.5.0+incompatible
HIGH7.5CVE-2016-11069Mattermost Server does not enforce rate limits on password change attempts in github.com/mattermost/mattermost-server
from 0, < 3.2.0
HIGH7.5CVE-2016-11069Mattermost Server does not enforce rate limits on password change attempts in github.com/mattermost/mattermost-server
from 0, < 3.2.0+incompatible
HIGH7.5CVE-2016-11066Mattermost Server: initial_load API exposes unnecessary information in github.com/mattermost/mattermost-server
from 0, < 3.1.1
HIGH7.5CVE-2016-11076Mattermost Server does not check if cookies are used over SSL in github.com/mattermost/mattermost-server
from 0, < 3.0.0
HIGH7.5CVE-2016-11076Mattermost Server does not check if cookies are used over SSL in github.com/mattermost/mattermost-server
from 0, < 3.0.0+incompatible
HIGH7.5CVE-2016-11066Mattermost Server: initial_load API exposes unnecessary information in github.com/mattermost/mattermost-server
from 0
HIGH7.4CVE-2024-36492Mattermost failed to disallow the modification of local users when syncing users in shared channels in github.com/mattermost/mattermost-server
>= 9.5.0+incompatible, < 9.5.7+incompatible, >= 9.7.0+incompatible, < 9.7.6+incompatible, >= 9.8.0+incompatible, < 9.8.2+incompatible, >= 9.9.0+incompatible, < 9.9.1+incompatible
HIGH7.2CVE-2025-14273Mattermost with Jira plugin enabled has Incorrect Implementation of Authentication Algorithm in github.com/mattermost/mattermost-plugin-jira
from 0
MEDIUM6.8CVE-2025-14435Mattermost is vulnerable to DoS due to infinite re-renders on API errors
>= 10.11.0, < 10.11.9
MEDIUM6.8CVE-2025-14435Mattermost is vulnerable to DoS due to infinite re-renders on API errors
>= 10.11.0+incompatible, < 10.11.9+incompatible, >= 11.0.1+incompatible, < 11.0.7+incompatible, >= 11.1.0+incompatible, < 11.1.2+incompatible
MEDIUM6.8CVE-2025-8023Mattermost Fails to Sanitize Path Traversal Sequences in github.com/mattermost/mattermost-server
>= 10.8.0, < 10.8.4
MEDIUM6.8CVE-2025-8023Mattermost Fails to Sanitize Path Traversal Sequences in github.com/mattermost/mattermost-server
>= 9.11.0+incompatible, < 9.11.18+incompatible, >= 10.5.0+incompatible, < 10.5.9+incompatible, >= 10.8.0+incompatible, < 10.8.4+incompatible, >= 10.9.0+incompatible, < 10.9.3+incompatible
MEDIUM6.8CVE-2025-36530Mattermost Fails to Validate File Paths in github.com/mattermost/mattermost-server
>= 9.11.0+incompatible, < 9.11.18+incompatible, >= 10.5.0+incompatible, < 10.5.9+incompatible, >= 10.8.0+incompatible, < 10.8.4+incompatible, >= 10.9.0+incompatible, < 10.9.2+incompatible
MEDIUM6.8CVE-2025-36530Mattermost Fails to Validate File Paths in github.com/mattermost/mattermost-server
>= 10.9.0, < 10.9.2
MEDIUM6.8CVE-2025-49222Mattermost Fails to Validate Remote Cluster Upload Sessions in github.com/mattermost/mattermost-server
>= 10.8.0, < 10.8.4
MEDIUM6.8CVE-2025-49222Mattermost Fails to Validate Remote Cluster Upload Sessions in github.com/mattermost/mattermost-server
>= 9.11.0+incompatible, < 9.11.18+incompatible, >= 10.5.0+incompatible, < 10.5.9+incompatible, >= 10.8.0+incompatible, < 10.8.4+incompatible, >= 10.9.0+incompatible, < 10.9.3+incompatible, >= 10.10.0+incompatible, < 10.10.1+incompatible
MEDIUM6.8CVE-2025-6233Mattermost Path Traversal vulnerability in github.com/mattermost/mattermost-server
>= 9.11.0+incompatible, < 9.11.17+incompatible, >= 10.5.0+incompatible, < 10.5.8+incompatible, >= 10.7.0+incompatible, < 10.7.4+incompatible, >= 10.8.0+incompatible, < 10.8.2+incompatible
MEDIUM6.8CVE-2025-6233Mattermost Path Traversal vulnerability in github.com/mattermost/mattermost-server
>= 10.8.0, < 10.8.2
MEDIUM6.8CVE-2024-39832Mattermost allows a remote actor to permanently delete local data by abusing dangerous error handling in github.com/mattermost/mattermost-server
>= 9.5.0+incompatible, < 9.5.7+incompatible, >= 9.7.0+incompatible, < 9.7.6+incompatible, >= 9.8.0+incompatible, < 9.8.2+incompatible, >= 9.9.0+incompatible, < 9.9.1+incompatible
MEDIUM6.5CVE-2026-5163Mattermost doesn't verify channel membership when processing AI-assisted message rewrites
from 0, < 5.3.2-0.20260401090745-f4d1abe7e8f5
MEDIUM6.5CVE-2026-6345Mattermost doesn't prevent disclosure of created user password
from 0, < 5.3.2-0.20260311102650-3057ae7e83e9
MEDIUM6.5CVE-2026-3590Mattermost has session spoofing due to lack of single-use consumption of guest magic link tokens enforcement
>= 10.11.0-rc1, < 10.11.13
MEDIUM6.5CVE-2025-55070Mattermost does not enforce MFA on WebSocket connections in github.com/mattermost/mattermost-server
from 0, < 11.1.0
MEDIUM6.5CVE-2025-55070Mattermost does not enforce MFA on WebSocket connections in github.com/mattermost/mattermost-server
from 0, < 11.1.0+incompatible
MEDIUM6.5CVE-2025-9076Mattermost Missing Authorization vulnerability in github.com/mattermost/mattermost-server
>= 10.10.0, < 10.10.2
MEDIUM6.5CVE-2025-9076Mattermost Missing Authorization vulnerability in github.com/mattermost/mattermost-server
>= 10.10.0+incompatible, < 10.10.2+incompatible
MEDIUM6.5CVE-2025-6226Mattermost Missing Authentication for Critical Function in github.com/mattermost/mattermost-server
>= 9.11.0+incompatible, < 9.11.17+incompatible, >= 10.5.0+incompatible, < 10.5.7+incompatible, >= 10.7.0+incompatible, < 10.7.4+incompatible, >= 10.8.0+incompatible, < 10.8.2+incompatible
MEDIUM6.5CVE-2025-6226Mattermost Missing Authentication for Critical Function in github.com/mattermost/mattermost-server
>= 10.5.0, < 10.5.7
MEDIUM6.5CVE-2025-35965Mattermost Playbooks fails to validate the uniqueness and quantity of task actions
>= 9.11.0+incompatible
MEDIUM6.5CVE-2025-41395Mattermost Playbooks fails to properly validate the props used by the RetrospectivePost custom post type
>= 9.11.0+incompatible
MEDIUM6.5CVE-2025-20621Mattermost webapp crash via a crafted post
>= 9.11.0+incompatible, < 9.11.6+incompatible, >= 10.0.0+incompatible, < 10.0.4+incompatible, >= 10.1.0+incompatible, < 10.1.4+incompatible, >= 10.2.0+incompatible, < 10.2.1+incompatible
MEDIUM6.5CVE-2025-20086Mattermost fails to properly validate post props in github.com/mattermost/mattermost-server
>= 9.11.0+incompatible, < 9.11.6+incompatible, >= 10.0.0+incompatible, < 10.0.4+incompatible, >= 10.1.0+incompatible, < 10.1.4+incompatible, >= 10.2.0+incompatible, < 10.2.1+incompatible
MEDIUM6.5CVE-2025-20088Mattermost fails to properly validate post props in github.com/mattermost/mattermost-server
>= 9.11.0+incompatible, < 9.11.6+incompatible, >= 10.0.0+incompatible, < 10.0.4+incompatible, >= 10.1.0+incompatible, < 10.1.4+incompatible, >= 10.2.0+incompatible, < 10.2.1+incompatible
MEDIUM6.5CVE-2025-21088Mattermost Incorrect Type Conversion or Cast
>= 9.11.0+incompatible, < 9.11.6+incompatible, >= 10.0.0+incompatible, < 10.0.4+incompatible, >= 10.1.0+incompatible, < 10.1.4+incompatible, >= 10.2.0+incompatible, < 10.2.1+incompatible
MEDIUM6.5CVE-2024-54083Mattermost Improper Validation of Specified Type of Input vulnerability in github.com/mattermost/mattermost-server
>= 9.5.0+incompatible, < 9.5.13+incompatible, >= 9.11.0+incompatible, < 9.11.5+incompatible, >= 10.0.0+incompatible, < 10.0.3+incompatible, >= 10.1.0+incompatible, < 10.1.3+incompatible
MEDIUM6.5CVE-2024-54682Mattermost Data Amplification vulnerability in github.com/mattermost/mattermost-server
>= 9.5.0+incompatible, < 9.5.13+incompatible, >= 9.11.0+incompatible, < 9.11.5+incompatible, >= 10.0.0+incompatible, < 10.0.3+incompatible, >= 10.1.0+incompatible, < 10.1.3+incompatible
MEDIUM6.5CVE-2024-2447Mattermost fails to authenticate the source of certain types of post actions in github.com/mattermost/mattermost-server
>= 9.3.0+incompatible, < 9.3.3+incompatible, >= 9.4.0+incompatible, < 9.4.4+incompatible, >= 9.5.0+incompatible, < 9.5.2+incompatible
MEDIUM6.5CVE-2023-1775Mattermost vulnerable to information disclosure
>= 3.3.0, < 7.1.6
MEDIUM6.5CVE-2022-4045Denial of service in Mattermost
from 0, < 7.1.4
MEDIUM6.5CVE-2022-4044Denial of service in Mattermost
from 0, < 7.1.4
MEDIUM6.5CVE-2022-2401Mattermost users could access some sensitive information via API call in github.com/mattermost/mattermost-server
from 0
MEDIUM6.5CVE-2022-1982Uncontrolled Resource Consumption in Mattermost server
>= 6.6.0, < 6.6.1
MEDIUM6.5CVE-2016-11078Mattermost Server exposes sensitive information via its System Console UI in github.com/mattermost/mattermost-server
from 0, < 3.0.0
MEDIUM6.5CVE-2016-11072Mattermost Server's Session ID and Session Token are potentially compromised in github.com/mattermost/mattermost-server
from 0, < 3.0.2
MEDIUM6.5CVE-2016-11078Mattermost Server exposes sensitive information via its System Console UI in github.com/mattermost/mattermost-server
from 0, < 3.0.0+incompatible
MEDIUM6.5CVE-2016-11072Mattermost Server's Session ID and Session Token are potentially compromised in github.com/mattermost/mattermost-server
from 0, < 3.0.2+incompatible
MEDIUM6.5CVE-2022-1337Resource exhaustion in Mattermost in github.com/mattermost/mattermost-server
from 0
MEDIUM6.1CVE-2017-18907Mattermost Server vulnerable to XSS through channel headers in github.com/mattermost/mattermost-server
>= 3.10.0+incompatible, < 3.10.2+incompatible
MEDIUM6.1CVE-2017-18904Mattermost Server vulnerable to XSS via an uploaded file in github.com/mattermost/mattermost-server
from 0, < 3.9.2+incompatible, >= 3.10.0+incompatible, < 3.10.2+incompatible
MEDIUM6.1CVE-2017-18904Mattermost Server vulnerable to XSS via an uploaded file in github.com/mattermost/mattermost-server
from 0, < 3.9.2
MEDIUM6.1CVE-2017-18907Mattermost Server vulnerable to XSS through channel headers in github.com/mattermost/mattermost-server
from 0, < 3.9.2-0.20170714014920-312269ad0bd1
MEDIUM6.1CVE-2017-18891Mattermost Server does not safeguard against phishing via error page links in github.com/mattermost/mattermost-server
from 0, < 4.0.5+incompatible, >= 4.1.0+incompatible, < 4.1.1+incompatible, >= 4.2.0-rc1+incompatible, < 4.2.0+incompatible
MEDIUM6.1CVE-2017-18892Mattermost Server does not neutralize HTML content in an Email template field in github.com/mattermost/mattermost-server
from 0, < 4.0.5+incompatible, >= 4.1.0+incompatible, < 4.1.1+incompatible, >= 4.2.0-rc1+incompatible, < 4.2.0+incompatible
MEDIUM6.1CVE-2017-18893Mattermost Server is vulnerable to XSS through display name field in github.com/mattermost/mattermost-server
from 0, < 4.0.5+incompatible, >= 4.1.0+incompatible, < 4.1.1+incompatible, >= 4.2.0-rc1+incompatible, < 4.2.0+incompatible
MEDIUM6.1CVE-2017-18897Mattermost Server mishandles redirect denial action in github.com/mattermost/mattermost-server
from 0, < 4.0.5+incompatible, >= 4.1.0+incompatible, < 4.1.1+incompatible, >= 4.2.0-rc1+incompatible, < 4.2.0+incompatible
MEDIUM6.1CVE-2017-18892Mattermost Server does not neutralize HTML content in an Email template field in github.com/mattermost/mattermost-server
from 0, < 4.0.5
MEDIUM6.1CVE-2017-18897Mattermost Server mishandles redirect denial action in github.com/mattermost/mattermost-server
from 0, < 4.0.5
MEDIUM6.1CVE-2017-18891Mattermost Server does not safeguard against phishing via error page links in github.com/mattermost/mattermost-server
from 0, < 4.0.5
MEDIUM6.1CVE-2017-18893Mattermost Server is vulnerable to XSS through display name field in github.com/mattermost/mattermost-server
from 0, < 4.0.5
MEDIUM6.1CVE-2017-18879Mattermost Server is vulnerable to XSS through author_link field in Slack attachments in github.com/mattermost/mattermost-server
from 0, < 4.1.2+incompatible, >= 4.2.0+incompatible, < 4.2.1+incompatible, >= 4.3.0-rc1+incompatible, < 4.3.0+incompatible
MEDIUM6.1CVE-2017-18879Mattermost Server is vulnerable to XSS through author_link field in Slack attachments in github.com/mattermost/mattermost-server
from 0, < 4.1.2
MEDIUM6.1CVE-2016-11083Mattermost Server: Files may be rendered inline instead of downloaded, allowing script execution in github.com/mattermost/mattermost-server
from 0, < 2.2.0+incompatible
MEDIUM6.1CVE-2016-11084Mattermost Server allows XSS via CSRF in github.com/mattermost/mattermost-server
from 0, < 2.1.0
MEDIUM6.1CVE-2016-11084Mattermost Server allows XSS via CSRF in github.com/mattermost/mattermost-server
from 0, < 2.1.0+incompatible
MEDIUM6.1CVE-2016-11082Mattermost Server is vulnerable to XSS through crafted links in github.com/mattermost/mattermost-server
from 0, < 2.2.0
MEDIUM6.1CVE-2016-11079Mattermost Server allows XSS via redirect URL in github.com/mattermost/mattermost-server
from 0, < 3.0.0
MEDIUM6.1CVE-2016-11082Mattermost Server is vulnerable to XSS through crafted links in github.com/mattermost/mattermost-server
from 0, < 2.2.0+incompatible
MEDIUM6.1CVE-2016-11083Mattermost Server: Files may be rendered inline instead of downloaded, allowing script execution in github.com/mattermost/mattermost-server
from 0, < 2.2.0
MEDIUM6.1CVE-2016-11079Mattermost Server allows XSS via redirect URL in github.com/mattermost/mattermost-server
from 0, < 3.0.0+incompatible
MEDIUM6.1CVE-2016-11073Mattermost Server is vulnerable to XSS via a Legal or Support setting in github.com/mattermost/mattermost-server
from 0, < 3.0.0
MEDIUM6.1CVE-2016-11071Mattermost Server is vulnerable to XSS through lack of link relationship attributes `noreferrer` and `noopener` in github.com/mattermost/mattermost-server
from 0, < 3.1.0
MEDIUM6.1CVE-2016-11071Mattermost Server is vulnerable to XSS through lack of link relationship attributes `noreferrer` and `noopener` in github.com/mattermost/mattermost-server
from 0, < 3.1.0+incompatible
MEDIUM6.1CVE-2016-11073Mattermost Server is vulnerable to XSS via a Legal or Support setting in github.com/mattermost/mattermost-server
from 0, < 3.0.0+incompatible
MEDIUM6.1CVE-2016-11063Mattermost Server vulnerable to Cross-site Scripting through file preview feature in github.com/mattermost/mattermost-server
from 0, < 3.5.1
MEDIUM6.1CVE-2016-11063Mattermost Server vulnerable to Cross-site Scripting through file preview feature in github.com/mattermost/mattermost-server
from 0, < 3.5.1+incompatible
MEDIUM6.1CVE-2021-37860Cross-site Scripting in Mattermost in github.com/mattermost/mattermost-server
from 0
MEDIUM6.0CVE-2024-42497Mattermost allows user with systems manager role with read-only access to teams to perform write operations on teams in github.com/mattermost/mattermost-server
>= 9.5.0+incompatible, < 9.5.8+incompatible, >= 9.8.0+incompatible, < 9.8.3+incompatible, >= 9.9.0+incompatible, < 9.9.2+incompatible, >= 9.10.0+incompatible, < 9.10.1+incompatible
MEDIUM5.8CVE-2025-31947Mattermost Fails to Lockout LDAP Users After Repeated Login Failures in github.com/mattermost/mattermost-server
>= 9.11.0+incompatible, < 9.11.12+incompatible, >= 10.4.0+incompatible, < 10.4.5+incompatible, >= 10.5.0+incompatible, < 10.5.3+incompatible, >= 10.6.0+incompatible, < 10.6.2+incompatible
MEDIUM5.7CVE-2026-27656Mattermost allows attackers to take over arbitrary user accounts via overly permissive substring matching flaw
>= 11.4.0-rc1, < 11.4.1
MEDIUM5.7CVE-2025-13821Mattermost fails to sanitize sensitive data in WebSocket messages
from 0
MEDIUM5.7CVE-2025-13821Mattermost fails to sanitize sensitive data in WebSocket messages
>= 11.1.0
MEDIUM5.5CVE-2024-41144Mattermost allows remote actor to create/update/delete posts in arbitrary channels in github.com/mattermost/mattermost-server
>= 9.5.0+incompatible, < 9.5.7+incompatible, >= 9.7.0+incompatible, < 9.7.6+incompatible, >= 9.8.0+incompatible, < 9.8.2+incompatible, >= 9.9.0+incompatible, < 9.9.1+incompatible
MEDIUM5.4CVE-2026-0999Mattermost fails to properly validate login method restrictions
from 0
MEDIUM5.4CVE-2026-0999Mattermost fails to properly validate login method restrictions
>= 11.1.0
MEDIUM5.4CVE-2025-55073Mattermost allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL in github.com/mattermost/mattermost-server
>= 10.11.0, < 10.11.4
MEDIUM5.4CVE-2025-55073Mattermost allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL in github.com/mattermost/mattermost-server
>= 10.5.0+incompatible, < 10.5.12+incompatible, >= 10.11.0+incompatible, < 10.11.4+incompatible, >= 10.12.0+incompatible, < 10.12.1+incompatible
MEDIUM5.4CVE-2025-41410Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server
>= 10.5.0+incompatible, < 10.5.11+incompatible, >= 10.10.0+incompatible, < 10.10.3+incompatible, >= 10.11.0+incompatible, < 10.11.3+incompatible
MEDIUM5.4CVE-2025-41410Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server
>= 10.10.0, < 10.10.3
MEDIUM5.4CVE-2025-46702Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server
from 0, < 0.0.0-20250513065225-4ae5d647fb88
MEDIUM5.4CVE-2025-46702Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server
from 0, < 0.0.0-20250513065225-4ae5d647fb88, >= 9.11.0+incompatible, < 9.11.16+incompatible, >= 10.5.0+incompatible, < 10.5.6+incompatible, >= 10.6.0+incompatible, < 10.6.6+incompatible, >= 10.7.0+incompatible, < 10.7.3+incompatible, >= 10.8.0+incompatible, < 10.8.1+incompatible
MEDIUM5.4CVE-2025-3230Mattermost fails to properly invalidate personal access tokens upon user deactivation in github.com/mattermost/mattermost-server
>= 9.0.0-rc1+incompatible, < 9.11.13+incompatible, >= 10.0.0-rc1+incompatible, < 10.5.4+incompatible, >= 10.6.0-rc1+incompatible, < 10.6.3+incompatible, >= 10.7.0-rc1+incompatible, < 10.7.1+incompatible
MEDIUM5.4CVE-2025-2475Mattermost vulnerable to Incorrect Implementation of Authentication Algorithm
>= 9.11.0+incompatible, < 9.11.10+incompatible, >= 10.5.0+incompatible, < 10.5.2+incompatible
MEDIUM5.4CVE-2025-27933Mattermost allows members with permission to convert public channels to private and convert private to public in github.com/mattermost/mattermost-server
>= 9.11.0+incompatible, < 9.11.9+incompatible, >= 10.3.0+incompatible, < 10.3.4+incompatible, >= 10.4.0+incompatible, < 10.4.3+incompatible
MEDIUM5.4CVE-2025-27933Mattermost allows members with permission to convert public channels to private and convert private to public in github.com/mattermost/mattermost-server
from 0, < 9.11.9
MEDIUM5.4CVE-2024-47003Mattermost fails to strip `embeds` from `metadata` when broadcasting `posted` events in github.com/mattermost/mattermost-server
from 0
MEDIUM5.4CVE-2023-1776Mattermost vulnerable to cross-site scripting (XSS)
>= 7.7.0, < 7.7.2
MEDIUM5.4CVE-2023-1774Mattermost fails to properly authentication inviter's permissions to private channel
>= 3.3.0, < 7.1.6
MEDIUM5.4CVE-2016-11070Mattermost Server is vulnerable to XSS through customizable theme color-code values in github.com/mattermost/mattermost-server
from 0, < 3.1.0
MEDIUM5.4CVE-2016-11070Mattermost Server is vulnerable to XSS through customizable theme color-code values in github.com/mattermost/mattermost-server
from 0, < 3.1.0+incompatible
MEDIUM5.3CVE-2026-2456Mattermost fails to limit the size of responses from integration action endpoints
>= 10.11.0-rc1+incompatible, < 10.11.11+incompatible, >= 11.2.0-rc1+incompatible, < 11.2.3+incompatible, >= 11.3.0-rc1+incompatible, < 11.3.1+incompatible
MEDIUM5.3CVE-2026-2456Mattermost fails to limit the size of responses from integration action endpoints
from 0, < 5.3.2-0.20260127165411-fe3052073dc6
MEDIUM5.3CVE-2025-3913Mattermost improperly allows team administrators to modify team invites in github.com/mattermost/mattermost-server
>= 9.0.0-rc1+incompatible, < 9.11.13+incompatible, >= 10.5.0-rc1+incompatible, < 10.5.4+incompatible, >= 10.6.0-rc1+incompatible, < 10.6.3+incompatible, >= 10.7.0-rc1+incompatible, < 10.7.1+incompatible
MEDIUM5.3CVE-2025-27936Mattermost vulnerable to Observable Timing Discrepancy in github.com/mattermost/mattermost-plugin-msteams
>= 10.5.0+incompatible, < 10.5.2+incompatible
MEDIUM5.3CVE-2023-1777Mattermost vulnerable to information disclosure
>= 7.8.0, < 7.8.1
MEDIUM5.3CVE-2020-14457Mattermost Server Sensitive Data Exposure in github.com/mattermost/mattermost
from 0
MEDIUM5.3CVE-2017-18905Mattermost Server has Insufficient Session Expiration when used as an OAuth 2.0 service provider in github.com/mattermost/mattermost-server
from 0, < 3.9.2
MEDIUM5.3CVE-2017-18902Mattermost Server exposes team invite IDs through API endpoints in github.com/mattermost/mattermost-server
from 0, < 3.10.3
MEDIUM5.3CVE-2017-18901CVE-2017-18901 in github.com/mattermost/mattermost-server
from 0
MEDIUM5.3CVE-2017-18901CVE-2017-18901 in github.com/mattermost/mattermost-server
from 0, < 3.10.3
MEDIUM5.3CVE-2017-18902Mattermost Server exposes team invite IDs through API endpoints in github.com/mattermost/mattermost-server
from 0, < 3.10.3+incompatible, >= 4.0.0+incompatible, < 4.0.4+incompatible, >= 4.0.5-rc1+incompatible, < 4.1.0+incompatible
MEDIUM5.3CVE-2017-18905Mattermost Server has Insufficient Session Expiration when used as an OAuth 2.0 service provider in github.com/mattermost/mattermost-server
from 0, < 3.9.2+incompatible, >= 3.10.0+incompatible, < 3.10.2+incompatible
MEDIUM5.3CVE-2017-18896Mattermost Server allows attackers to log sensitive information via DEBUG REST API logging endpoint in github.com/mattermost/mattermost-server
>= 4.1.0, < 4.1.1
MEDIUM5.3CVE-2017-18898Mattermost Server is vulnerable to DoS through maliciously crafted posts in github.com/mattermost/mattermost-server
from 0, < 4.0.5+incompatible, >= 4.1.0+incompatible, < 4.1.1+incompatible, >= 4.2.0-rc1+incompatible, < 4.2.0+incompatible
MEDIUM5.3CVE-2017-18896Mattermost Server allows attackers to log sensitive information via DEBUG REST API logging endpoint in github.com/mattermost/mattermost-server
from 0, < 4.0.5+incompatible, >= 4.1.0+incompatible, < 4.1.1+incompatible, >= 4.2.0-rc1+incompatible, < 4.2.0+incompatible
MEDIUM5.3CVE-2017-18895Mattermost Server exposes sensitive user status information via REST API version 4 endpoint in github.com/mattermost/mattermost-server
from 0, < 4.0.5+incompatible, >= 4.1.0+incompatible, < 4.1.1+incompatible, >= 4.2.0-rc1+incompatible, < 4.2.0+incompatible
MEDIUM5.3CVE-2017-18895Mattermost Server exposes sensitive user status information via REST API version 4 endpoint in github.com/mattermost/mattermost-server
from 0, < 4.0.5
MEDIUM5.3CVE-2017-18898Mattermost Server is vulnerable to DoS through maliciously crafted posts in github.com/mattermost/mattermost-server
from 0, < 4.0.5
MEDIUM5.3CVE-2017-18873Mattermost Server is vulnerable to channel invisibility DoS via misformatted post in github.com/mattermost/mattermost-server
from 0, < 4.1.2-0.20171013141717-ee57a5829ab1
MEDIUM5.3CVE-2017-18873Mattermost Server is vulnerable to channel invisibility DoS via misformatted post in github.com/mattermost/mattermost-server
from 0, < 4.1.2-0.20171013141717-ee57a5829ab1+incompatible, >= 4.2.0+incompatible, < 4.2.1-0.20171013140502-b3e4b0ac9168+incompatible, >= 4.3.0-rc1+incompatible, < 4.3.0+incompatible
MEDIUM5.3CVE-2017-18887Mattermost Server exposes team creator's e-mail address to other members in github.com/mattermost/mattermost-server
from 0, < 4.1.2
MEDIUM5.3CVE-2017-18887Mattermost Server exposes team creator's e-mail address to other members in github.com/mattermost/mattermost-server
from 0, < 4.1.2+incompatible, >= 4.2.0-rc1+incompatible, < 4.2.1+incompatible, >= 4.3.0-rc1+incompatible, < 4.3.0+incompatible
MEDIUM5.3CVE-2016-11075Mattermost Server exposes sensitive information about team URLs via an API in github.com/mattermost/mattermost-server
from 0, < 2.0.1-0.20160310160916-26ad6d2c7696
MEDIUM5.3CVE-2016-11068Mattermost Server is vulnerable to Code Injection through its LDAP fields in github.com/mattermost/mattermost-server
from 0, < 3.2.0+incompatible
MEDIUM5.3CVE-2016-11067Mattermost Server is vulnerable to Uncontrolled Resource Consumption in github.com/mattermost/mattermost-server
from 0, < 3.2.0+incompatible
MEDIUM5.3CVE-2016-11075Mattermost Server exposes sensitive information about team URLs via an API in github.com/mattermost/mattermost-server
from 0
MEDIUM5.3CVE-2016-11067Mattermost Server is vulnerable to Uncontrolled Resource Consumption in github.com/mattermost/mattermost-server
from 0, < 3.2.0
MEDIUM5.3CVE-2016-11068Mattermost Server is vulnerable to Code Injection through its LDAP fields in github.com/mattermost/mattermost-server
from 0, < 3.2.0
MEDIUM5.0CVE-2026-3113Mattermost doesn't set permissions on downloaded bulk export
>= 11.4.0-rc1, < 11.4.1
MEDIUM4.9CVE-2025-11794Mattermost allows system administrators to access password hashes and MFA secrets in github.com/mattermost/mattermost-server
>= 10.11.0, < 10.11.4
MEDIUM4.9CVE-2025-11794Mattermost allows system administrators to access password hashes and MFA secrets in github.com/mattermost/mattermost-server
>= 10.5.0+incompatible, < 10.5.12+incompatible, >= 10.11.0+incompatible, < 10.11.4+incompatible, >= 10.12.0+incompatible, < 10.12.1+incompatible
MEDIUM4.9CVE-2025-8402Mattermost has Potential Server Crash due to Unvalidated Import Data in github.com/mattermost/mattermost-server
>= 10.8.0, < 10.8.4
MEDIUM4.9CVE-2025-8402Mattermost has Potential Server Crash due to Unvalidated Import Data in github.com/mattermost/mattermost-server
>= 9.11.0+incompatible, < 9.11.18+incompatible, >= 10.5.0+incompatible, < 10.5.9+incompatible, >= 10.8.0+incompatible, < 10.8.4+incompatible, >= 10.9.0+incompatible, < 10.9.4+incompatible, >= 10.10.0+incompatible, < 10.10.1+incompatible
MEDIUM4.9CVE-2023-5968Mattermost password hash disclosure vulnerability
from 0, < 5.3.2-0.20230825233148-f787fd63368a
MEDIUM4.9CVE-2017-18918Mattermost Server does not restrict SAML certificate path for System Administrators
from 0, < 3.6.5
MEDIUM4.9CVE-2017-18918Mattermost Server does not restrict SAML certificate path for System Administrators
from 0, < 3.6.5+incompatible, >= 3.7.0+incompatible, < 3.7.3+incompatible
MEDIUM4.8CVE-2024-48872Mattermost Race Condition vulnerability in github.com/mattermost/mattermost-server
>= 9.5.0+incompatible, < 9.5.13+incompatible, >= 9.11.0+incompatible, < 9.11.5+incompatible, >= 10.0.0+incompatible, < 10.0.3+incompatible, >= 10.1.0+incompatible, < 10.1.3+incompatible
MEDIUM4.8CVE-2024-39836Mattermost allows remote/synthetic users to create sessions, reset passwords in github.com/mattermost/mattermost-server
>= 9.5.0+incompatible, < 9.5.8+incompatible, >= 9.8.0+incompatible, < 9.8.3+incompatible, >= 9.9.0+incompatible, < 9.9.2+incompatible, >= 9.10.0+incompatible, < 9.10.1+incompatible
MEDIUM4.7CVE-2025-32093Mattermost Fails to Restrict Certain Operations on System Admins in github.com/mattermost/mattermost-server
>= 9.11.0+incompatible, < 9.11.10+incompatible, >= 10.4.0+incompatible, < 10.4.4+incompatible, >= 10.5.0+incompatible, < 10.5.2+incompatible
MEDIUM4.7CVE-2025-32093Mattermost Fails to Restrict Certain Operations on System Admins in github.com/mattermost/mattermost-server
>= 10.5.0, < 10.5.2
MEDIUM4.7CVE-2024-8071Mattermost doesn't restrict which roles can promote a user as system admin in github.com/mattermost/mattermost-server
>= 9.5.0+incompatible, < 9.5.8+incompatible, >= 9.8.0+incompatible, < 9.8.3+incompatible, >= 9.9.0+incompatible, < 9.9.2+incompatible, >= 9.10.0+incompatible, < 9.10.1+incompatible
MEDIUM4.7CVE-2024-29221Mattermost Server Improper Access Control in github.com/mattermost/mattermost-server
>= 9.3.0+incompatible, < 9.3.3+incompatible, >= 9.4.0+incompatible, < 9.4.4+incompatible, >= 9.5.0+incompatible, < 9.5.2+incompatible
MEDIUM4.6CVE-2024-46872Mattermost Server Path Traversal vulnerability that leads to Cross-Site Request Forgery
from 0
MEDIUM4.6CVE-2024-40886Mattermost Cross-Site Request Forgery vulnerability in github.com/mattermost/mattermost-server
>= 9.5.0+incompatible, < 9.5.8+incompatible, >= 9.8.0+incompatible, < 9.8.3+incompatible, >= 9.9.0+incompatible, < 9.9.2+incompatible, >= 9.10.0+incompatible, < 9.10.1+incompatible
MEDIUM4.6CVE-2022-1385Improper Control of a Resource Through its Lifetime in Mattermost in github.com/mattermost/mattermost-server
from 0
MEDIUM4.3CVE-2026-6339Mattermost doesn't validate the X-Requested-With header on the burn-on-read reveal endpoint
from 0, < 5.3.2-0.20260327001745-7a339a6438f5
MEDIUM4.3CVE-2026-28732Mattermost doesn't enforce slash command trigger-word uniqueness during command updates
from 0, < 5.3.2-0.20260306123948-f5fe8ded6b63
MEDIUM4.3CVE-2026-2325Mattermost doesn't limit the size of the request body on the start meeting API endpoint
>= 11.5.0, < 11.5.2
MEDIUM4.3CVE-2026-28759Mattermost does not verify remote cluster channel access when processing shared channel membership removals
from 0, < 5.3.2-0.20260216150504-8738f8c4b3d4
MEDIUM4.3CVE-2026-3637Mattermost doesn't check the create_post channel permission during post edit operations
from 0, < 5.3.2-0.20260316171743-090408f09f53
MEDIUM4.3CVE-2026-6340Mattermost doesn't validate 7zip archive structure before processing
from 0, < 5.3.2-0.20260325191733-fb11968f8798
MEDIUM4.3CVE-2026-4054Mattermost doesn't validate the response body of proxied images
>= 11.5.0, < 11.5.2
MEDIUM4.3CVE-2026-26233Mattermost doesn't rate limit login requests, allowing DoS
>= 11.4.0-rc1, < 11.4.1
MEDIUM4.3CVE-2026-26233Mattermost doesn't rate limit login requests, allowing DoS
>= 10.11.0-rc1+incompatible, < 10.11.12+incompatible, >= 11.2.0-rc1+incompatible, < 11.2.4+incompatible, >= 11.3.0-rc1+incompatible, < 11.3.2+incompatible, >= 11.4.0-rc1+incompatible, < 11.4.1+incompatible
MEDIUM4.3CVE-2026-24692Mattermost fails to properly enforce read permissions in search API endpoints
>= 10.11.0-rc1+incompatible, < 10.11.11+incompatible, >= 11.2.0-rc1+incompatible, < 11.2.3+incompatible, >= 11.3.0-rc1+incompatible, < 11.3.1+incompatible
MEDIUM4.3CVE-2026-2455Mattermost fails to canonicalize IPv4-mapped IPv6 addresses before reserved IP validation
from 0, < 5.3.2-0.20260129133647-5d787969c2d5
MEDIUM4.3CVE-2026-24692Mattermost fails to properly enforce read permissions in search API endpoints
from 0, < 5.3.2-0.20260107142155-0481bd1fb045
MEDIUM4.3CVE-2026-2455Mattermost fails to canonicalize IPv4-mapped IPv6 addresses before reserved IP validation
>= 10.11.0-rc1+incompatible, < 10.11.11+incompatible, >= 11.2.0-rc1+incompatible, < 11.2.3+incompatible, >= 11.3.0-rc1+incompatible, < 11.3.1+incompatible
MEDIUM4.3CVE-2026-21386Mattermost fails to use consistent error responses when handling the /mute command
from 0, < 5.3.2-0.20260130144323-5bb5261c72fa
MEDIUM4.3CVE-2026-21386Mattermost fails to use consistent error responses when handling the /mute command
>= 10.11.0-rc1+incompatible, < 10.11.11+incompatible, >= 11.2.0-rc1+incompatible, < 11.2.3+incompatible, >= 11.3.0-rc1+incompatible, < 11.3.1+incompatible
MEDIUM4.3CVE-2026-4265Mattermost fails to validate team-specific upload_file permissions
from 0, < 5.3.2-0.20260107144005-c7f6efdfb035
MEDIUM4.3CVE-2026-4265Mattermost fails to validate team-specific upload_file permissions
>= 10.11.0-rc1+incompatible, < 10.11.11+incompatible, >= 11.2.0-rc1+incompatible, < 11.2.3+incompatible, >= 11.3.0-rc1+incompatible, < 11.3.1+incompatible
MEDIUM4.3CVE-2026-2578Mattermost fails to preserve the redacted state of burn-on-read posts during deletion
from 0, < 5.3.2-0.20260127062706-c6b205f0d770
MEDIUM4.3CVE-2026-2463Mattermost fails to filter invite IDs based on user permissions
>= 10.11.0-rc1+incompatible, < 10.11.11+incompatible, >= 11.2.0-rc1+incompatible, < 11.2.3+incompatible, >= 11.3.0-rc1+incompatible, < 11.3.1+incompatible
MEDIUM4.3CVE-2026-2458Mattermost allows a removed team member to enumerate all public channels within a private team
>= 10.11.0-rc1+incompatible, < 10.11.11+incompatible, >= 11.2.0-rc1+incompatible, < 11.2.3+incompatible, >= 11.3.0-rc1+incompatible, < 11.3.1+incompatible
MEDIUM4.3CVE-2026-2463Mattermost fails to filter invite IDs based on user permissions
from 0, < 5.3.2-0.20260105134819-cc427af41b2a
MEDIUM4.3CVE-2026-2578Mattermost fails to preserve the redacted state of burn-on-read posts during deletion
>= 10.11.0-rc1+incompatible, < 10.11.11+incompatible, >= 11.2.0-rc1+incompatible, < 11.2.3+incompatible, >= 11.3.0-rc1+incompatible, < 11.3.1+incompatible
MEDIUM4.3CVE-2026-2458Mattermost allows a removed team member to enumerate all public channels within a private team
from 0, < 5.3.2-0.20260113182106-a18b80ba4c32
MEDIUM4.3CVE-2026-26246Mattermost fails to bound memory allocation when processing PSD image files
>= 10.11.0-rc1+incompatible, < 10.11.11+incompatible, >= 11.2.0-rc1+incompatible, < 11.2.3+incompatible, >= 11.3.0-rc1+incompatible, < 11.3.1+incompatible
MEDIUM4.3CVE-2026-2457Mattermost allows attackers to spoof permalink embeds
from 0, < 5.3.2-0.20260123211116-9efe617be8b8
MEDIUM4.3CVE-2026-25783Mattermost fails to properly validate User-Agent header tokens
from 0, < 5.3.2-0.20260129181235-1346cf529aef
MEDIUM4.3CVE-2026-26246Mattermost fails to bound memory allocation when processing PSD image files
from 0, < 5.3.2-0.20260115183946-38b413a27604
MEDIUM4.3CVE-2026-2457Mattermost allows attackers to spoof permalink embeds
>= 10.11.0-rc1+incompatible, < 10.11.11+incompatible, >= 11.2.0-rc1+incompatible, < 11.2.3+incompatible, >= 11.3.0-rc1+incompatible, < 11.3.1+incompatible
MEDIUM4.3CVE-2026-25783Mattermost fails to properly validate User-Agent header tokens
>= 10.11.0-rc1+incompatible, < 10.11.11+incompatible, >= 11.2.0-rc1+incompatible, < 11.2.3+incompatible, >= 11.3.0-rc1+incompatible, < 11.3.1+incompatible
MEDIUM4.3CVE-2026-25780Mattermost fails to bound memory allocation when processing DOC files
from 0, < 5.3.2-0.20260123215601-86797c508c44
MEDIUM4.3CVE-2026-25780Mattermost fails to bound memory allocation when processing DOC files
>= 10.11.0-rc1+incompatible, < 10.11.11+incompatible, >= 11.2.0-rc1+incompatible, < 11.2.3+incompatible, >= 11.3.0-rc1+incompatible, < 11.3.1+incompatible
MEDIUM4.3CVE-2025-14350Mattermost fails to properly validate team membership when processing channel mentions
>= 11.1.0
MEDIUM4.3CVE-2025-14350Mattermost fails to properly validate team membership when processing channel mentions
from 0
MEDIUM4.3CVE-2026-22892Mattermost doesn't validate user permissions when creating Jira issues from Mattermost posts in github.com/mattermost/mattermost-server
>= 10.11.0+incompatible, < 10.11.10+incompatible, >= 11.1.0+incompatible, < 11.1.3+incompatible, >= 11.2.0+incompatible, < 11.2.2+incompatible
MEDIUM4.3CVE-2026-22892Mattermost doesn't validate user permissions when creating Jira issues from Mattermost posts in github.com/mattermost/mattermost-server
>= 11.2.0, < 11.2.2
MEDIUM4.3CVE-2025-13767Mattermost doesn't validate user channel membership when attaching Mattermost posts as comments to Jira issues
>= 10.11.0+incompatible, < 10.11.8+incompatible, >= 10.12.0+incompatible, < 10.12.4+incompatible, >= 11.0.1+incompatible, < 11.0.6+incompatible, >= 11.1.0+incompatible, < 11.1.1+incompatible
MEDIUM4.3CVE-2025-13767Mattermost doesn't validate user channel membership when attaching Mattermost posts as comments to Jira issues
>= 10.11.0, < 10.11.8
MEDIUM4.3CVE-2025-13324Mattermost has an Invite Token Replay Vulnerability via Channel Membership Manipulation in github.com/mattermost/mattermost
from 0, < 11.0.4
MEDIUM4.3CVE-2025-13324Mattermost has an Invite Token Replay Vulnerability via Channel Membership Manipulation in github.com/mattermost/mattermost
from 0, < 11.0.4+incompatible
MEDIUM4.3CVE-2025-12756Mattermost fails to validate user permissions when deleting comments in Boards in github.com/mattermost/mattermost
from 0
MEDIUM4.3CVE-2025-12559Mattermost fails to sanitize team email addresses in github.com/mattermost/mattermost-server
>= 11.0.0, < 11.0.3
MEDIUM4.3CVE-2025-12559Mattermost fails to sanitize team email addresses in github.com/mattermost/mattermost-server
from 0
MEDIUM4.3CVE-2025-11776Mattermost fails to properly restrict access to archived channel search API in github.com/mattermost/mattermost
from 0, < 5.3.2-0.20250815165020-c8d66301415d
MEDIUM4.3CVE-2025-11776Mattermost fails to properly restrict access to archived channel search API in github.com/mattermost/mattermost
from 0
MEDIUM4.3CVE-2025-41443Guest user can discover active public channels in github.com/mattermost/mattermost-server
>= 10.5.0, < 10.5.11
MEDIUM4.3CVE-2025-41443Guest user can discover active public channels in github.com/mattermost/mattermost-server
from 0
MEDIUM4.3CVE-2025-9078Mattermost makes Use of Weak Hash in github.com/mattermost/mattermost-server
>= 9.11.0+incompatible, < 9.11.18+incompatible, >= 10.5.0+incompatible, < 10.5.9+incompatible, >= 10.8.0+incompatible, < 10.8.4+incompatible, >= 10.9.0+incompatible, < 10.9.4+incompatible, >= 10.10.0+incompatible, < 10.10.2+incompatible
MEDIUM4.3CVE-2025-9078Mattermost makes Use of Weak Hash in github.com/mattermost/mattermost-server
>= 10.8.0, < 10.8.4
MEDIUM4.3CVE-2025-6465Mattermost Fails to Sanitize File Names in github.com/mattermost/mattermost-server
>= 10.5.0+incompatible, < 10.5.9+incompatible, >= 10.8.0+incompatible, < 10.8.4+incompatible, >= 10.9.0+incompatible, < 10.9.4+incompatible, >= 10.10.0+incompatible, < 10.10.1+incompatible
MEDIUM4.3CVE-2025-6465Mattermost Fails to Sanitize File Names in github.com/mattermost/mattermost-server
>= 10.8.0, < 10.8.4
MEDIUM4.3CVE-2025-47870Mattermost Does Not Sanitize the Team Invite ID in github.com/mattermost/mattermost-server
>= 10.8.0, < 10.8.4
MEDIUM4.3CVE-2025-47870Mattermost Does Not Sanitize the Team Invite ID in github.com/mattermost/mattermost-server
>= 9.11.0+incompatible, < 9.11.18+incompatible, >= 10.5.0+incompatible, < 10.5.9+incompatible, >= 10.8.0+incompatible, < 10.8.4+incompatible, >= 10.9.0+incompatible, < 10.9.3+incompatible
MEDIUM4.3CVE-2025-47871Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server
from 0, < 0.0.0-20250513065225-4ae5d647fb88
MEDIUM4.3CVE-2025-47871Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server
from 0, < 0.0.0-20250513065225-4ae5d647fb88, >= 9.11.0+incompatible, < 9.11.16+incompatible, >= 10.5.0+incompatible, < 10.5.6+incompatible, >= 10.6.0+incompatible, < 10.6.6+incompatible, >= 10.7.0+incompatible, < 10.7.3+incompatible, >= 10.8.0+incompatible, < 10.8.1+incompatible
MEDIUM4.3CVE-2025-3228Mattermost allows an unauthorized Guest user access to Playbook in github.com/mattermost/mattermost-server
from 0, < 0.0.0-20250520060012-d0380305ef7a
MEDIUM4.3CVE-2025-3227Mattermost allows unauthorized channel member management through playbook runs in github.com/mattermost/mattermost-server
from 0, < 0.0.0-20250520060012-d0380305ef7a
MEDIUM4.3CVE-2025-3228Mattermost allows an unauthorized Guest user access to Playbook in github.com/mattermost/mattermost-server
from 0, < 0.0.0-20250520060012-d0380305ef7a, >= 9.11.0+incompatible, < 9.11.16+incompatible, >= 10.5.0+incompatible, < 10.5.6+incompatible, >= 10.6.0+incompatible, < 10.6.6+incompatible, >= 10.7.0+incompatible, < 10.7.3+incompatible, >= 10.8.0+incompatible, < 10.8.1+incompatible
MEDIUM4.3CVE-2025-3227Mattermost allows unauthorized channel member management through playbook runs in github.com/mattermost/mattermost-server
from 0, < 0.0.0-20250520060012-d0380305ef7a, >= 9.11.0+incompatible, < 9.11.16+incompatible, >= 10.5.0+incompatible, < 10.5.6+incompatible, >= 10.6.0+incompatible, < 10.6.6+incompatible, >= 10.7.0+incompatible, < 10.7.3+incompatible, >= 10.8.0+incompatible, < 10.8.1+incompatible
MEDIUM4.3CVE-2025-2527Mattermost Fails to Verify User's Permissions When Accessing Groups in github.com/mattermost/mattermost-server
>= 9.11.0+incompatible, < 9.11.12+incompatible, >= 10.5.0+incompatible, < 10.5.3+incompatible
MEDIUM4.3CVE-2025-3446Mattermost Fails to Validate Team Invite Permissions in github.com/mattermost/mattermost-server
>= 9.11.0+incompatible, < 9.11.12+incompatible, >= 10.4.0+incompatible, < 10.4.5+incompatible, >= 10.5.0+incompatible, < 10.5.3+incompatible, >= 10.6.0+incompatible, < 10.6.2+incompatible
MEDIUM4.3CVE-2025-2564Mattermost Incorrect Authorization vulnerability
>= 9.11.0+incompatible, < 9.11.10+incompatible, >= 10.4.0+incompatible, < 10.4.4+incompatible, >= 10.5.0+incompatible, < 10.5.2+incompatible
MEDIUM4.3CVE-2025-27571Mattermost Incorrect Authorization vulnerability
>= 9.11.0+incompatible, < 9.11.10+incompatible, >= 10.4.0+incompatible, < 10.4.4+incompatible, >= 10.5.0+incompatible, < 10.5.2+incompatible
MEDIUM4.3CVE-2025-30179Mattermost Fails to Enforce Certain Search APIs in github.com/mattermost/mattermost-server
>= 9.11.0+incompatible, < 9.11.9+incompatible, >= 10.3.0+incompatible, < 10.3.4+incompatible, >= 10.4.0+incompatible, < 10.4.3+incompatible, >= 10.5.0+incompatible, < 10.5.1+incompatible
MEDIUM4.3CVE-2025-25274Mattermost Fails to Restrict Command Execution in Archived Channels in github.com/mattermost/mattermost-server
>= 9.11.0+incompatible, < 9.11.9+incompatible, >= 10.3.0+incompatible, < 10.3.4+incompatible, >= 10.4.0+incompatible, < 10.4.3+incompatible, >= 10.5.0+incompatible, < 10.5.1+incompatible
MEDIUM4.3CVE-2025-24920Mattermost Fails to Restrict Bookmark Creation and Updates in Archived Channels in github.com/mattermost/mattermost-server
>= 9.11.0+incompatible, < 9.11.9+incompatible, >= 10.3.0+incompatible, < 10.3.4+incompatible, >= 10.4.0+incompatible, < 10.4.3+incompatible, >= 10.5.0+incompatible, < 10.5.1+incompatible
MEDIUM4.3CVE-2025-1472Mattermost Fails to Properly Perform Viewer Role Authorization in github.com/mattermost/mattermost-server
>= 9.11.0+incompatible, < 9.11.9+incompatible
MEDIUM4.3CVE-2025-1472Mattermost Fails to Properly Perform Viewer Role Authorization in github.com/mattermost/mattermost-server
>= 9.11.0, < 9.11.9
MEDIUM4.3CVE-2025-24526Mattermost fails to restrict channel export of archived channels in github.com/mattermost/mattermost-server
>= 9.11.0-rc1+incompatible, < 9.11.8+incompatible, >= 10.2.0-rc1+incompatible, < 10.2.3+incompatible, >= 10.3.0-rc1+incompatible, < 10.3.3+incompatible, >= 10.4.0-rc1+incompatible, < 10.4.2+incompatible
MEDIUM4.3CVE-2025-20033Mattermost Improper Validation of Specified Type of Input vulnerability
>= 10.0.0+incompatible, < 10.0.4+incompatible, >= 10.1.0+incompatible, < 10.1.4+incompatible, >= 10.2.0+incompatible, < 10.2.1+incompatible
MEDIUM4.3CVE-2024-10241Mattermost Server allows user to get private channel names in github.com/mattermost/mattermost-server
from 0
MEDIUM4.3CVE-2024-50052Mattermost server allows authenticated user to delete arbitrary post in github.com/mattermost/mattermost-server
from 0
MEDIUM4.3CVE-2024-47401Mattermost Server vulnerable to application crash from attacker-generated large response in github.com/mattermost/mattermost-server
from 0
MEDIUM4.3CVE-2024-43780Mattermost allows guest user with read access to upload files to a channel in github.com/mattermost/mattermost-server
>= 9.5.0+incompatible, < 9.5.8+incompatible, >= 9.8.0+incompatible, < 9.8.3+incompatible, >= 9.9.0+incompatible, < 9.9.2+incompatible, >= 9.10.0+incompatible, < 9.10.1+incompatible
MEDIUM4.3CVE-2024-32939Mattermost doesn't redact remote users' original email addresses in github.com/mattermost/mattermost-server
>= 9.5.0+incompatible, < 9.5.8+incompatible, >= 9.8.0+incompatible, < 9.8.3+incompatible, >= 9.9.0+incompatible, < 9.9.2+incompatible, >= 9.10.0+incompatible, < 9.10.1+incompatible
MEDIUM4.3CVE-2024-39839Mattermost allows a user on a remote to set their remote username prop to an arbitrary string in github.com/mattermost/mattermost-server
>= 9.5.0+incompatible, < 9.5.7+incompatible, >= 9.7.0+incompatible, < 9.7.6+incompatible, >= 9.8.0+incompatible, < 9.8.2+incompatible, >= 9.9.0+incompatible, < 9.9.1+incompatible
MEDIUM4.3CVE-2024-32046Mattermost's detailed error messages reveal the full file path in github.com/mattermost/mattermost-server
>= 8.1.0, < 8.1.12
MEDIUM4.3CVE-2024-32046Mattermost's detailed error messages reveal the full file path in github.com/mattermost/mattermost-server
>= 8.1.0+incompatible, < 8.1.12+incompatible, >= 9.4.0+incompatible, < 9.4.5+incompatible, >= 9.5.0+incompatible, < 9.5.3+incompatible, >= 9.6.0-rc1+incompatible, < 9.6.1+incompatible
MEDIUM4.3CVE-2024-4183Mattermost fails to limit the number of active sessions in github.com/mattermost/mattermost-server
>= 8.1.0+incompatible, < 8.1.12+incompatible, >= 9.4.0+incompatible, < 9.4.5+incompatible, >= 9.5.0+incompatible, < 9.5.3+incompatible, >= 9.6.0-rc1+incompatible, < 9.6.1+incompatible
MEDIUM4.3CVE-2024-4182Mattermost crashes web clients via a malformed custom status in github.com/mattermost/mattermost-server
>= 8.1.0, < 8.1.12
MEDIUM4.3CVE-2024-4182Mattermost crashes web clients via a malformed custom status in github.com/mattermost/mattermost-server
>= 8.1.0+incompatible, < 8.1.12+incompatible, >= 9.4.0+incompatible, < 9.4.5+incompatible, >= 9.5.0+incompatible, < 9.5.3+incompatible, >= 9.6.0-rc1+incompatible, < 9.6.1+incompatible
MEDIUM4.3CVE-2024-4183Mattermost fails to limit the number of active sessions in github.com/mattermost/mattermost-server
>= 9.6.0-rc1, < 9.6.1
MEDIUM4.3CVE-2024-28949Mattermost Server doesn't limit the number of user preferences in github.com/mattermost/mattermost-server
>= 9.3.0+incompatible, < 9.3.3+incompatible, >= 9.4.0+incompatible, < 9.4.4+incompatible, >= 9.5.0+incompatible, < 9.5.2+incompatible
MEDIUM4.3CVE-2024-1953Mattermost fails to limit the number of role names in github.com/mattermost/mattermost-server
>= 9.2.0+incompatible, < 9.2.5+incompatible, >= 9.3.0+incompatible, < 9.3.1+incompatible, >= 9.4.0+incompatible, < 9.4.2+incompatible
MEDIUM4.3CVE-2024-1942Mattermost allows attackers access to posts in channels they are not a member of in github.com/mattermost/mattermost-server
>= 9.2.0+incompatible, < 9.2.5+incompatible, >= 9.3.0+incompatible, < 9.3.1+incompatible
MEDIUM4.3CVE-2024-23493Mattermost leaks details of AD/LDAP groups of a teams
>= 9.2.0+incompatible, < 9.2.5+incompatible, >= 9.3.0+incompatible, < 9.3.1+incompatible, >= 9.4.0+incompatible, < 9.4.2+incompatible
MEDIUM4.3CVE-2024-24988Mattermost denial of service through long emoji value in github.com/mattermost/mattermost-server
>= 9.2.0+incompatible, < 9.2.5+incompatible, >= 9.3.0+incompatible, < 9.3.1+incompatible
MEDIUM4.3CVE-2024-1888Mattermost fails to check the "invite_guest" permission in github.com/mattermost/mattermost-server
>= 9.2.0+incompatible, < 9.2.5+incompatible, >= 9.3.0+incompatible, < 9.3.1+incompatible, >= 9.4.0+incompatible, < 9.4.2+incompatible
MEDIUM4.3CVE-2024-1887Mattermost post fetching without auditing in compliance export
>= 9.2.0+incompatible, < 9.2.5+incompatible, >= 9.3.0+incompatible, < 9.3.1+incompatible
MEDIUM4.3CVE-2024-1402Mattermost vulnerable to denial of service via large number of emoji reactions in github.com/mattermost/mattermost-server
>= 9.1.0+incompatible, < 9.1.5+incompatible, >= 9.2.0+incompatible, < 9.2.4+incompatible
MEDIUM4.3CVE-2023-47858Mattermost viewing archived public channels permissions vulnerability
from 0
MEDIUM4.3CVE-2023-48732Mattermost notified all users in the channel when using WebSockets to respond individually
from 0, < 8.1.7+incompatible
MEDIUM4.3CVE-2017-18890Mattermost Server allows attackers to create buttons that can launch API requests in github.com/mattermost/mattermost-server
from 0, < 4.1.2
MEDIUM4.3CVE-2017-18890Mattermost Server allows attackers to create buttons that can launch API requests in github.com/mattermost/mattermost-server
from 0, < 4.1.2+incompatible, >= 4.2.0-rc1+incompatible, < 4.2.1+incompatible, >= 4.3.0-rc1+incompatible, < 4.3.0+incompatible
MEDIUM4.3CVE-2017-18889Mattermost Server is vulnerable to webhook and slash command manipulation in github.com/mattermost/mattermost-server
from 0, < 4.1.2
MEDIUM4.3CVE-2017-18889Mattermost Server is vulnerable to webhook and slash command manipulation in github.com/mattermost/mattermost-server
from 0, < 4.1.2+incompatible, >= 4.2.0-rc1+incompatible, < 4.2.1+incompatible, >= 4.3.0-rc1+incompatible, < 4.3.0+incompatible
MEDIUM4.3CVE-2017-18878Mattermost Server allows users with a session ID to revoke another users' session in github.com/mattermost/mattermost-server
>= 4.3.0-rc1+incompatible, < 4.3.0+incompatible
MEDIUM4.3CVE-2017-18878Mattermost Server allows users with a session ID to revoke another users' session in github.com/mattermost/mattermost-server
from 0, < 4.1.2-0.20171004201910-6be8113eb60c
MEDIUM4.3CVE-2016-11081Mattermost Server exposes information stored by a web browser in github.com/mattermost/mattermost-server
from 0, < 2.2.0
MEDIUM4.3CVE-2017-18872Mattermost Server's OAuth 2.0 service is vulnerable to attack through Missing Authorization in github.com/mattermost/mattermost-server
from 0, < 4.3.3
MEDIUM4.3CVE-2016-11081Mattermost Server exposes information stored by a web browser in github.com/mattermost/mattermost-server
from 0, < 2.2.0+incompatible
MEDIUM4.3CVE-2017-18872Mattermost Server's OAuth 2.0 service is vulnerable to attack through Missing Authorization in github.com/mattermost/mattermost-server
from 0, < 4.3.3+incompatible, >= 4.4.0-rc1+incompatible, < 4.4.3+incompatible
MEDIUM4.3CVE-2022-1332Improper Privilege Management in Mattermost in github.com/mattermost/mattermost-server
from 0
MEDIUM4.2CVE-2025-2571Mattermost fails to clear Google OAuth credentials in github.com/mattermost/mattermost-server
>= 9.0.0-rc1+incompatible, < 9.11.13+incompatible, >= 10.0.0-rc1+incompatible, < 10.5.4+incompatible, >= 10.6.0-rc1+incompatible, < 10.6.3+incompatible, >= 10.7.0-rc1+incompatible, < 10.7.1+incompatible
MEDIUM4.1CVE-2025-64641Mattermost doesn't verify that post actions invoking `/share-issue-publicly` were created by the Jira plugin
>= 10.11.0+incompatible, < 10.11.8+incompatible, >= 10.12.0+incompatible, < 10.12.4+incompatible, >= 11.0.1+incompatible, < 11.0.6+incompatible, >= 11.1.0+incompatible, < 11.1.1+incompatible
MEDIUM4.1CVE-2025-64641Mattermost doesn't verify that post actions invoking `/share-issue-publicly` were created by the Jira plugin
>= 10.11.0, < 10.11.8
MEDIUM4.1CVE-2025-4573Mattermost allows authenticated administrator to execute LDAP search filter injection in github.com/mattermost/mattermost-server
>= 10.7.0, < 10.7.2
MEDIUM4.1CVE-2025-4573Mattermost allows authenticated administrator to execute LDAP search filter injection in github.com/mattermost/mattermost-server
>= 9.11.0+incompatible, < 9.11.14+incompatible, >= 10.5.0+incompatible, < 10.5.5+incompatible, >= 10.6.0+incompatible, < 10.6.4+incompatible, >= 10.7.0+incompatible, < 10.7.2+incompatible
MEDIUM4.1CVE-2024-41162Mattermost allows a remote actor to make an arbitrary local channel read-only in github.com/mattermost/mattermost-server
>= 9.5.0+incompatible, < 9.5.7+incompatible, >= 9.7.0+incompatible, < 9.7.6+incompatible, >= 9.8.0+incompatible, < 9.8.2+incompatible, >= 9.9.0+incompatible, < 9.9.1+incompatible
LOW3.8CVE-2026-3495Mattermost doesn't escape some variables that could contain malicious content during error page composition
from 0, < 5.3.2-0.20260310115442-5a1ea95044dc
LOW3.8CVE-2025-14573Mattermost fails to enforce invite permissions when updating team settings
from 0
LOW3.8CVE-2025-14573Mattermost fails to enforce invite permissions when updating team settings
>= 11.1.0
LOW3.8CVE-2025-53971Mattermost Fails to Properly Validate Team Role Modification in github.com/mattermost/mattermost-server
>= 9.11.0+incompatible, < 9.11.18+incompatible, >= 10.5.0+incompatible, < 10.5.9+incompatible
LOW3.8CVE-2025-53971Mattermost Fails to Properly Validate Team Role Modification in github.com/mattermost/mattermost-server
>= 10.5.0, < 10.5.9
LOW3.8CVE-2025-22449Mattermost Incorrect Authorization vulnerability
>= 9.11.0+incompatible
LOW3.8CVE-2024-39837Mattermost did not properly restrict channel creation in github.com/mattermost/mattermost-server
>= 9.9.0, < 9.9.1
LOW3.8CVE-2024-39837Mattermost did not properly restrict channel creation in github.com/mattermost/mattermost-server
>= 9.5.0+incompatible, < 9.5.7+incompatible, >= 9.9.0+incompatible, < 9.9.1+incompatible
LOW3.7CVE-2026-4273Mattermost doesn't validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation
from 0, < 5.3.2-0.20260313190740-742e0be95074
LOW3.7CVE-2023-50333Mattermost allows demoted guests to change group names
from 0
LOW3.7CVE-2023-7113Mattermost Cross-site Scripting vulnerability in github.com/mattermost/mattermost-server
from 0
LOW3.5CVE-2026-6333Mattermost doesn't validate the Host header when constructing response URLs for custom slash command
from 0, < 5.3.2-0.20260325160634-e738016c5920
LOW3.5CVE-2025-47700Mattermost Server SSRF Vulnerability via the Agents Plugin in github.com/mattermost/mattermost-server
>= 10.5.0+incompatible, < 10.5.10+incompatible
LOW3.5CVE-2025-49810Mattermost Lack of Access Control Validation in github.com/mattermost/mattermost-server
>= 10.5.0+incompatible, < 10.5.9+incompatible
LOW3.5CVE-2025-47700Mattermost Server SSRF Vulnerability via the Agents Plugin in github.com/mattermost/mattermost-server
>= 10.5.0, < 10.5.10
LOW3.5CVE-2025-49810Mattermost Lack of Access Control Validation in github.com/mattermost/mattermost-server
>= 10.5.0, < 10.5.9
LOW3.5CVE-2025-22445Mattermost has Improper Check for Unusual or Exceptional Conditions
from 0, < 10.3.0+incompatible
LOW3.5CVE-2024-10214Mattermost incorrectly issues two sessions when using desktop SSO
from 0
LOW3.3CVE-2025-27715Mattermost fail to prompt for explicit approval before adding a team admin to a private channel in github.com/mattermost/mattermost-server
>= 9.11.0+incompatible, < 9.11.9+incompatible
LOW3.1CVE-2026-6334Mattermost doesn't enforce client identity binding during the OAuth authorization code redemption flow
from 0, < 5.3.2-0.20260318173148-e9ae890a013b
LOW3.1CVE-2026-4053Mattermost doesn't enforce the PostEditTimeLimit on non-message post fields
>= 11.5.0, < 11.5.2
LOW3.1CVE-2026-22545Mattermost fails to validate user's authentication method when processing account auth type switch
>= 10.11.0-rc1+incompatible, < 10.11.11+incompatible, >= 11.2.0-rc1+incompatible, < 11.2.3+incompatible, >= 11.3.0-rc1+incompatible, < 11.3.1+incompatible
LOW3.1CVE-2026-22545Mattermost fails to validate user's authentication method when processing account auth type switch
from 0, < 5.3.2-0.20260127144908-ced9a56e3988
LOW3.1CVE-2026-20796Mattermost doesn't properly validate channel membership at the time of data retrieval in github.com/mattermost/mattermost-server
>= 10.11.0+incompatible, < 10.11.10+incompatible
LOW3.1CVE-2026-20796Mattermost doesn't properly validate channel membership at the time of data retrieval in github.com/mattermost/mattermost-server
>= 10.11.0, < 10.11.10
LOW3.1CVE-2025-14822Mattermost is vulnerable to CPU exhaustion via crafted HTTP request
>= 10.11.0+incompatible, < 10.11.9+incompatible, >= 11.0.1+incompatible, < 11.2.0+incompatible
LOW3.1CVE-2025-14822Mattermost is vulnerable to CPU exhaustion via crafted HTTP request
>= 10.11.0, < 10.11.9
LOW3.1CVE-2025-62690Mattermost has missing redirect URL validation in github.com/mattermost/mattermost
from 0
LOW3.1CVE-2025-13870Mattermost fails to validate user permissions in Boards in github.com/mattermost/mattermost
from 0
LOW3.1CVE-2025-41436Mattermost allows regular users to access archived channel content and files in github.com/mattermost/mattermost-server
from 0, < 11.0.0-alpha.1+incompatible
LOW3.1CVE-2025-41436Mattermost allows regular users to access archived channel content and files in github.com/mattermost/mattermost-server
from 0, < 11.0.0-alpha.1
LOW3.1CVE-2025-11777Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost
>= 10.11.0, < 10.11.4
LOW3.1CVE-2025-11777Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost
>= 10.5.0+incompatible, < 10.5.12+incompatible, >= 10.11.0+incompatible, < 10.11.4+incompatible
LOW3.1CVE-2025-10545Mattermost has an Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server
>= 10.5.0, < 10.5.11
LOW3.1CVE-2025-10545Mattermost has an Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server
>= 10.5.0+incompatible, < 10.5.11+incompatible, >= 10.11.0+incompatible, < 10.11.3+incompatible
LOW3.1CVE-2025-54499Mattermost has an Observable Timing Discrepancy vulnerability in github.com/mattermost/mattermost-server
>= 10.5.0, < 10.5.11
LOW3.1CVE-2025-54499Mattermost has an Observable Timing Discrepancy vulnerability in github.com/mattermost/mattermost-server
>= 10.5.0+incompatible, < 10.5.11+incompatible, >= 10.11.0+incompatible, < 10.11.3+incompatible
LOW3.1CVE-2025-9081Mattermost boards plugin fails to restrict download access to files in github.com/mattermost/mattermost-plugin-boards
>= 9.11.0-rc1+incompatible, < 9.11.18+incompatible, >= 10.5.0-rc1+incompatible, < 10.5.9+incompatible
LOW3.1CVE-2025-9081Mattermost boards plugin fails to restrict download access to files in github.com/mattermost/mattermost-plugin-boards
>= 10.5.0-rc1, < 10.5.9
LOW3.1CVE-2025-9084Mattermost Open Redirect vulnerability in github.com/mattermost/mattermost-server
>= 10.5.0, < 10.5.10
LOW3.1CVE-2025-9084Mattermost Open Redirect vulnerability in github.com/mattermost/mattermost-server
>= 10.5.0+incompatible, < 10.5.10+incompatible
LOW3.1CVE-2025-4128Mattermost allows guest users to view information about public teams they are not members of in github.com/mattermost/mattermost-server
>= 9.11.0+incompatible, < 9.11.14+incompatible, >= 10.5.0+incompatible, < 10.5.5+incompatible
LOW3.1CVE-2025-4128Mattermost allows guest users to view information about public teams they are not members of in github.com/mattermost/mattermost-server
>= 10.5.0, < 10.5.5
LOW3.1CVE-2025-1792Mattermost fails to properly enforce access controls for guest users in github.com/mattermost/mattermost-server
>= 9.0.0-rc1+incompatible, < 9.11.13+incompatible, >= 10.0.0-rc1+incompatible, < 10.5.4+incompatible, >= 10.6.0-rc1+incompatible, < 10.7.1+incompatible
LOW3.1CVE-2025-3611Mattermost fails to properly enforce access control restrictions for System Manager roles
>= 9.0.0-rc1+incompatible, < 9.11.13+incompatible, >= 10.0.0-rc1+incompatible, < 10.5.4+incompatible, >= 10.6.0-rc1+incompatible, < 10.7.1+incompatible
LOW3.1CVE-2025-41423Mattermost Playbooks fails to properly validate permissions
>= 9.11.0+incompatible
LOW3.1CVE-2025-24839Mattermost Incorrect Authorization vulnerability
>= 9.11.0+incompatible, < 9.11.10+incompatible, >= 10.4.0+incompatible, < 10.4.4+incompatible, >= 10.5.0+incompatible, < 10.5.2+incompatible
LOW3.1CVE-2025-2424Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server
>= 9.11.0+incompatible, < 9.11.10+incompatible, >= 10.5.0+incompatible, < 10.5.2+incompatible
LOW3.1CVE-2025-1412Mattermost fails to invalidate all active sessions when converting a user to a bot in github.com/mattermost/mattermost-server
>= 9.11.0-rc1+incompatible, < 9.11.7+incompatible, >= 10.4.0-rc1+incompatible, < 10.4.2+incompatible
LOW3.1CVE-2024-22091Mattermost fails to limit the size of a request path in github.com/mattermost/mattermost-server
>= 8.1.0, < 8.1.12
LOW3.1CVE-2024-22091Mattermost fails to limit the size of a request path in github.com/mattermost/mattermost-server
>= 8.1.0+incompatible, < 8.1.12+incompatible, >= 9.5.0+incompatible, < 9.5.3+incompatible, >= 9.6.0-rc1+incompatible, < 9.6.1+incompatible
LOW3.1CVE-2024-21848Mattermost Server Improper Access Control
from 0
LOW3.1CVE-2024-28053Mattermost Server Resource Exhaustion in github.com/mattermost/mattermost-server
from 0, < 0.0.0-20240209181221-674f549daf0e
LOW3.1CVE-2024-28053Mattermost Server Resource Exhaustion in github.com/mattermost/mattermost-server
from 0, < 0.0.0-20240209181221-674f549daf0e
LOW3.1CVE-2024-1952Mattermost incorrectly allows access individual posts
>= 9.0.0+incompatible, < 9.4.0+incompatible
LOW3.1CVE-2024-23488Mattermost fails to properly restrict the access of files attached to posts in github.com/mattermost/mattermost-server
>= 9.0.0+incompatible, < 9.4.2+incompatible
LOW3.1CVE-2024-24776Mattermost fails to check the required permissions
>= 9.0.0+incompatible, < 9.3.0+incompatible
LOW3.0CVE-2025-13352Mattermost GitHub Plugin Bot Identity Validation Bypass Allows Arbitrary GitHub Reaction Injection in github.com/mattermost/mattermost
>= 10.11.0-rc1+incompatible
LOW3.0CVE-2025-55074Mattermost allows other users to determine when users had read channels via channel member objects in github.com/mattermost/mattermost-server
>= 10.5.0+incompatible, < 10.5.12+incompatible, >= 10.11.0+incompatible, < 10.11.4+incompatible
LOW3.0CVE-2025-55074Mattermost allows other users to determine when users had read channels via channel member objects in github.com/mattermost/mattermost-server
>= 10.11.0, < 10.11.4
LOW3.0CVE-2025-31363Mattermost doesn't restrict domains LLM can request to contact upstream
>= 9.11.0+incompatible, < 9.11.10+incompatible, >= 10.4.0+incompatible, < 10.4.3+incompatible, >= 10.5.0+incompatible, < 10.5.1+incompatible
LOW2.7CVE-2026-27769Mattermost doesn't validate whether users were correctly owned by the correct Connected Workspace
>= 8.0.0-20250721062209-4952acea88ce, < 8.0.0-20260316060126-bc1a2b34b1f9
LOW2.7CVE-2025-2570Mattermost Fails to Check User Access to `ExperimentalSettings` in github.com/mattermost/mattermost-server
>= 9.11.0+incompatible, < 9.11.12+incompatible, >= 10.5.0+incompatible, < 10.5.3+incompatible
LOW2.7CVE-2025-24866Mattermost Fails to Enforce Proper Access Controls on `/api/v4/audits` Endpoint
>= 9.11.0+incompatible, < 9.11.9+incompatible
LOW2.7CVE-2024-40884Mattermost allows team admin user without "Add Team Members" permission to disable invite URL in github.com/mattermost/mattermost-server
>= 9.5.0+incompatible, < 9.5.8+incompatible, >= 9.10.0+incompatible, < 9.10.1+incompatible
LOW2.7CVE-2024-41926Mattermost allows remote actor to set arbitrary RemoteId values for synced users in github.com/mattermost/mattermost-server
>= 9.5.0+incompatible, < 9.5.7+incompatible, >= 9.9.0+incompatible, < 9.9.1+incompatible
LOW2.7CVE-2024-29977Mattermost failed to properly validate synced reactions in github.com/mattermost/mattermost-server
>= 9.5.0+incompatible, < 9.5.7+incompatible, >= 9.9.0+incompatible, < 9.9.1+incompatible
LOW2.7CVE-2024-4195Mattermost allows team admins to promote guests to team admins in github.com/mattermost/mattermost-server
>= 9.5.0, < 9.5.3
LOW2.7CVE-2024-4195Mattermost allows team admins to promote guests to team admins in github.com/mattermost/mattermost-server
>= 8.1.0+incompatible, < 8.1.12+incompatible, >= 9.5.0+incompatible, < 9.5.3+incompatible
LOW2.7CVE-2024-4198Mattermost fails to fully validate role changes in github.com/mattermost/mattermost-server
>= 8.1.0+incompatible, < 8.1.12+incompatible, >= 9.5.0+incompatible, < 9.5.3+incompatible, >= 9.6.0-rc1+incompatible, < 9.6.1+incompatible
LOW2.7CVE-2024-4198Mattermost fails to fully validate role changes in github.com/mattermost/mattermost-server
>= 9.6.0-rc1, < 9.6.1
LOW2.7CVE-2016-11077Mattermost Server allows System Admin to modify LDAP account names and email addresses in github.com/mattermost/mattermost-server
from 0, < 3.0.0
LOW2.7CVE-2016-11077Mattermost Server allows System Admin to modify LDAP account names and email addresses in github.com/mattermost/mattermost-server
from 0, < 3.0.0+incompatible
LOW2.6CVE-2024-1949Mattermost race condition in github.com/mattermost/mattermost-server
>= 9.0.0+incompatible, < 9.4.2+incompatible
LOW2.2CVE-2025-6227Mattermost has Insufficiently Protected Credentials in github.com/mattermost/mattermost-server
>= 9.11.0+incompatible, < 9.11.17+incompatible, >= 10.5.0+incompatible, < 10.5.8+incompatible
LOW2.2CVE-2025-6227Mattermost has Insufficiently Protected Credentials in github.com/mattermost/mattermost-server
>= 10.5.0, < 10.5.8
LOW2.2CVE-2025-27538Mattermost Missing Authentication for Critical Function
>= 9.11.0+incompatible, < 9.11.10+incompatible, >= 10.5.0+incompatible, < 10.5.2+incompatible
—CVE-2017-18870CVE-2017-18870 in github.com/mattermost/mattermost-server
from 0
—CVE-2017-18912Mattermost Server allows an attacker to specify a full pathname of a log file in github.com/mattermost/mattermost-server
from 0
—CVE-2017-18917Mattermost Server uses weak hashing for OAuth, email verification tokens and invitations in github.com/mattermost/mattermost-server
from 0, < 3.7.5-0.20170421192444-247cd1e51a8c
—CVE-2017-18912Mattermost Server allows an attacker to specify a full pathname of a log file in github.com/mattermost/mattermost-server
from 0, < 3.7.4-0.20170404171331-0b5c0794fdcb
—CVE-2017-18916Mattermost Server has Improper Authorization for Integration Requests
>= 3.7.0+incompatible, < 3.7.5+incompatible, >= 3.8.0+incompatible, < 3.8.2+incompatible
—CVE-2017-18917Mattermost Server uses weak hashing for OAuth, email verification tokens and invitations in github.com/mattermost/mattermost-server
>= 3.8.0+incompatible, < 3.8.2+incompatible
—CVE-2017-18916Mattermost Server has Improper Authorization for Integration Requests
from 0, < 3.6.7-0.20170420152529-0968e4079e0a
—CVE-2017-18884Mattermost Server exposes OAuth personal access tokens to attackers in github.com/mattermost/mattermost-server
from 0, < 4.1.2
—CVE-2017-18884Mattermost Server exposes OAuth personal access tokens to attackers in github.com/mattermost/mattermost-server
from 0, < 4.1.2+incompatible, >= 4.2.0-rc1+incompatible, < 4.2.1+incompatible, >= 4.3.0-rc1+incompatible, < 4.3.0+incompatible
—CVE-2017-18877Mattermost Server is vulnerable to XSS attacks against an OAuth 2.0 allow/deny page in github.com/mattermost/mattermost-server
from 0, < 4.1.2+incompatible, >= 4.2.0+incompatible, < 4.2.1+incompatible, >= 4.3.0-rc1+incompatible, < 4.3.0+incompatible
—CVE-2017-18883Mattermost Server has low entropy for authorization data as an OAuth 2.0 Service Provider in github.com/mattermost/mattermost-server
from 0, < 4.1.2
—CVE-2017-18877Mattermost Server is vulnerable to XSS attacks against an OAuth 2.0 allow/deny page in github.com/mattermost/mattermost-server
from 0, < 4.1.2
—CVE-2017-18883Mattermost Server has low entropy for authorization data as an OAuth 2.0 Service Provider in github.com/mattermost/mattermost-server
from 0, < 4.1.2+incompatible, >= 4.2.0-rc1+incompatible, < 4.2.1+incompatible, >= 4.3.0-rc1+incompatible, < 4.3.0+incompatible
—CVE-2017-18876Mattermost Server is vulnerable to Path Traversal when files are stored locally in github.com/mattermost/mattermost-server
from 0, < 4.1.2-0.20171004201910-6be8113eb60c
—CVE-2017-18875Mattermost Server does not prevent System Admin from arbitrary file creation in github.com/mattermost/mattermost-server
>= 4.3.0-rc1+incompatible, < 4.3.0+incompatible
—CVE-2017-18875Mattermost Server does not prevent System Admin from arbitrary file creation in github.com/mattermost/mattermost-server
from 0, < 4.1.2-0.20171004201910-6be8113eb60c
—CVE-2017-18876Mattermost Server is vulnerable to Path Traversal when files are stored locally in github.com/mattermost/mattermost-server
>= 4.3.0-rc1+incompatible, < 4.3.0+incompatible
—CVE-2016-11080Mattermost Server exposes account details to any Team Administrator in github.com/mattermost/mattermost-server
from 0, < 3.0.0+incompatible
—CVE-2017-18874Mattermost Server is vulnerable to Directory Traversal by System Admins in github.com/mattermost/mattermost-server
from 0, < 4.1.2-0.20171004201910-6be8113eb60
—CVE-2016-11080Mattermost Server exposes account details to any Team Administrator in github.com/mattermost/mattermost-server
from 0, < 3.0.0
—CVE-2017-18874Mattermost Server is vulnerable to Directory Traversal by System Admins in github.com/mattermost/mattermost-server
>= 4.2.0-rc1+incompatible, < 4.2.0+incompatible, >= 4.3.0-rc1+incompatible, < 4.3.0+incompatible
—CVE-2016-11074Mattermost Server: Insufficient Password-Reset Link Invalidation in github.com/mattermost/mattermost-server
from 0, < 3.0.0
—CVE-2016-11074Mattermost Server: Insufficient Password-Reset Link Invalidation in github.com/mattermost/mattermost-server
from 0, < 3.0.0+incompatible