pkg:Go/github.com/mattermost/mattermost-server/v5

177 total CVEsCRITICAL5HIGH12MEDIUM113LOW47

✅ Check your installed version

All known vulnerabilities

CRITICAL9.9CVE-2025-12421Mattermost fails to to verify the token used during code exchange in github.com/mattermost/mattermost-server
from 0
CRITICAL9.9CVE-2025-12419Mattermost fails to properly validate OAuth state tokens during OpenID Connect authentication in github.com/mattermost/mattermost-server
from 0
CRITICAL9.9CVE-2025-4981Mattermost allows authenticated users to write files to arbitrary locations in github.com/mattermost/mattermost-server
from 0
CRITICAL9.9CVE-2025-25279Mattermost allows reading arbitrary files related to importing boards
from 0
CRITICAL9.9CVE-2025-20051Mattermost allows reading arbitrary files
from 0
HIGH8.8CVE-2022-1384Insecure plugin handling in Mattermost in github.com/mattermost/mattermost-server
from 0
HIGH8.7CVE-2024-39777Mattermost allows unsolicited invites to expose access to local channels in github.com/mattermost/mattermost-server
from 0
HIGH8.7CVE-2024-39274Mattermost failed to properly validate that the channel that comes from the sync message is a shared channel in github.com/mattermost/mattermost-server
from 0
HIGH8.1CVE-2025-58075Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server
from 0
HIGH8.1CVE-2025-58073Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server
from 0
HIGH8.0CVE-2025-9079Mattermost Path Traversal vulnerability in github.com/mattermost/mattermost-server
from 0
HIGH7.6CVE-2025-9072Mattermost Open Redirect vulnerability in github.com/mattermost/mattermost-server
from 0
HIGH7.5CVE-2026-24458Mattermost fails to properly handle very long passwords
from 0
HIGH7.5CVE-2025-25068Mattermost Fails to Enforce MFA on Plugin Endpoints in github.com/mattermost/mattermost-server
from 0
HIGH7.5CVE-2018-21258Mattermost Server is vulnerable to a Denial of Service attack through `invite_people` command in github.com/mattermost/mattermost-server
from 0, < 5.1.0
HIGH7.4CVE-2024-36492Mattermost failed to disallow the modification of local users when syncing users in shared channels in github.com/mattermost/mattermost-server
from 0
HIGH7.2CVE-2025-14273Mattermost with Jira plugin enabled has Incorrect Implementation of Authentication Algorithm in github.com/mattermost/mattermost-plugin-jira
from 0
MEDIUM6.8CVE-2025-8023Mattermost Fails to Sanitize Path Traversal Sequences in github.com/mattermost/mattermost-server
from 0
MEDIUM6.8CVE-2025-8023Mattermost Fails to Sanitize Path Traversal Sequences in github.com/mattermost/mattermost-server
from 0, <= 5.39.5
MEDIUM6.8CVE-2025-36530Mattermost Fails to Validate File Paths in github.com/mattermost/mattermost-server
from 0
MEDIUM6.8CVE-2025-49222Mattermost Fails to Validate Remote Cluster Upload Sessions in github.com/mattermost/mattermost-server
from 0, <= 5.39.3
MEDIUM6.8CVE-2025-36530Mattermost Fails to Validate File Paths in github.com/mattermost/mattermost-server
from 0, <= 5.11.1
MEDIUM6.8CVE-2025-49222Mattermost Fails to Validate Remote Cluster Upload Sessions in github.com/mattermost/mattermost-server
from 0
MEDIUM6.8CVE-2025-6233Mattermost Path Traversal vulnerability in github.com/mattermost/mattermost-server
from 0
MEDIUM6.8CVE-2024-39832Mattermost allows a remote actor to permanently delete local data by abusing dangerous error handling in github.com/mattermost/mattermost-server
from 0
MEDIUM6.5CVE-2025-55070Mattermost does not enforce MFA on WebSocket connections in github.com/mattermost/mattermost-server
from 0
MEDIUM6.5CVE-2025-9076Mattermost Missing Authorization vulnerability in github.com/mattermost/mattermost-server
from 0
MEDIUM6.5CVE-2025-6226Mattermost Missing Authentication for Critical Function in github.com/mattermost/mattermost-server
from 0
MEDIUM6.5CVE-2025-35965Mattermost Playbooks fails to validate the uniqueness and quantity of task actions
from 0
MEDIUM6.5CVE-2025-41395Mattermost Playbooks fails to properly validate the props used by the RetrospectivePost custom post type
from 0
MEDIUM6.5CVE-2025-20621Mattermost webapp crash via a crafted post
from 0
MEDIUM6.5CVE-2025-20086Mattermost fails to properly validate post props in github.com/mattermost/mattermost-server
from 0
MEDIUM6.5CVE-2025-20088Mattermost fails to properly validate post props in github.com/mattermost/mattermost-server
from 0
MEDIUM6.5CVE-2025-21088Mattermost Incorrect Type Conversion or Cast
from 0
MEDIUM6.5CVE-2024-54083Mattermost Improper Validation of Specified Type of Input vulnerability in github.com/mattermost/mattermost-server
from 0
MEDIUM6.5CVE-2024-54682Mattermost Data Amplification vulnerability in github.com/mattermost/mattermost-server
from 0
MEDIUM6.5CVE-2024-2447Mattermost fails to authenticate the source of certain types of post actions in github.com/mattermost/mattermost-server
from 0
MEDIUM6.5CVE-2023-1775Mattermost vulnerable to information disclosure
>= 5.0.0, < 7.1.6
MEDIUM6.5CVE-2022-2401Mattermost users could access some sensitive information via API call in github.com/mattermost/mattermost-server
from 0
MEDIUM6.5CVE-2022-1337Resource exhaustion in Mattermost in github.com/mattermost/mattermost-server
from 0
MEDIUM6.1CVE-2021-37860Cross-site Scripting in Mattermost in github.com/mattermost/mattermost-server
from 0, < 5.39.0
MEDIUM6.1CVE-2021-37860Cross-site Scripting in Mattermost in github.com/mattermost/mattermost-server
from 0, < 5.39.0
MEDIUM6.0CVE-2024-42497Mattermost allows user with systems manager role with read-only access to teams to perform write operations on teams in github.com/mattermost/mattermost-server
from 0
MEDIUM5.8CVE-2025-31947Mattermost Fails to Lockout LDAP Users After Repeated Login Failures in github.com/mattermost/mattermost-server
from 0
MEDIUM5.7CVE-2025-13821Mattermost fails to sanitize sensitive data in WebSocket messages
from 0
MEDIUM5.5CVE-2024-41144Mattermost allows remote actor to create/update/delete posts in arbitrary channels in github.com/mattermost/mattermost-server
from 0
MEDIUM5.4CVE-2026-0999Mattermost fails to properly validate login method restrictions
from 0
MEDIUM5.4CVE-2025-55073Mattermost allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL in github.com/mattermost/mattermost-server
from 0
MEDIUM5.4CVE-2025-41410Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server
from 0
MEDIUM5.4CVE-2025-46702Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server
from 0
MEDIUM5.4CVE-2025-3230Mattermost fails to properly invalidate personal access tokens upon user deactivation in github.com/mattermost/mattermost-server
from 0
MEDIUM5.4CVE-2025-2475Mattermost vulnerable to Incorrect Implementation of Authentication Algorithm
from 0
MEDIUM5.4CVE-2025-27933Mattermost allows members with permission to convert public channels to private and convert private to public in github.com/mattermost/mattermost-server
from 0
MEDIUM5.4CVE-2024-47003Mattermost fails to strip `embeds` from `metadata` when broadcasting `posted` events in github.com/mattermost/mattermost-server
from 0
MEDIUM5.4CVE-2023-1776Mattermost vulnerable to cross-site scripting (XSS)
>= 5.0.0, < 7.1.6
MEDIUM5.4CVE-2023-1774Mattermost fails to properly authentication inviter's permissions to private channel
>= 5.0.0, < 7.1.6
MEDIUM5.3CVE-2026-2456Mattermost fails to limit the size of responses from integration action endpoints
from 0
MEDIUM5.3CVE-2025-3913Mattermost improperly allows team administrators to modify team invites in github.com/mattermost/mattermost-server
from 0
MEDIUM5.3CVE-2025-27936Mattermost vulnerable to Observable Timing Discrepancy in github.com/mattermost/mattermost-plugin-msteams
from 0
MEDIUM5.3CVE-2020-14457Mattermost Server Sensitive Data Exposure in github.com/mattermost/mattermost
from 0, < 5.20.0
MEDIUM5.3CVE-2020-14457Mattermost Server Sensitive Data Exposure in github.com/mattermost/mattermost
from 0, < 5.20.0
MEDIUM4.9CVE-2025-11794Mattermost allows system administrators to access password hashes and MFA secrets in github.com/mattermost/mattermost-server
from 0
MEDIUM4.9CVE-2025-8402Mattermost has Potential Server Crash due to Unvalidated Import Data in github.com/mattermost/mattermost-server
from 0, <= 5.39.3
MEDIUM4.9CVE-2025-8402Mattermost has Potential Server Crash due to Unvalidated Import Data in github.com/mattermost/mattermost-server
from 0
MEDIUM4.9CVE-2023-5968Mattermost password hash disclosure vulnerability
from 0, < 5.3.2-0.20230825233148-f787fd63368a
MEDIUM4.8CVE-2024-48872Mattermost Race Condition vulnerability in github.com/mattermost/mattermost-server
from 0
MEDIUM4.8CVE-2024-39836Mattermost allows remote/synthetic users to create sessions, reset passwords in github.com/mattermost/mattermost-server
from 0
MEDIUM4.7CVE-2025-32093Mattermost Fails to Restrict Certain Operations on System Admins in github.com/mattermost/mattermost-server
from 0
MEDIUM4.7CVE-2024-8071Mattermost doesn't restrict which roles can promote a user as system admin in github.com/mattermost/mattermost-server
from 0
MEDIUM4.7CVE-2024-29221Mattermost Server Improper Access Control in github.com/mattermost/mattermost-server
from 0
MEDIUM4.6CVE-2024-46872Mattermost Server Path Traversal vulnerability that leads to Cross-Site Request Forgery
from 0
MEDIUM4.6CVE-2024-40886Mattermost Cross-Site Request Forgery vulnerability in github.com/mattermost/mattermost-server
from 0
MEDIUM4.6CVE-2022-1385Improper Control of a Resource Through its Lifetime in Mattermost in github.com/mattermost/mattermost-server
from 0
MEDIUM4.3CVE-2026-2455Mattermost fails to canonicalize IPv4-mapped IPv6 addresses before reserved IP validation
from 0
MEDIUM4.3CVE-2026-24692Mattermost fails to properly enforce read permissions in search API endpoints
from 0
MEDIUM4.3CVE-2026-4265Mattermost fails to validate team-specific upload_file permissions
from 0
MEDIUM4.3CVE-2026-21386Mattermost fails to use consistent error responses when handling the /mute command
from 0
MEDIUM4.3CVE-2026-2458Mattermost allows a removed team member to enumerate all public channels within a private team
from 0
MEDIUM4.3CVE-2026-2463Mattermost fails to filter invite IDs based on user permissions
from 0
MEDIUM4.3CVE-2026-2578Mattermost fails to preserve the redacted state of burn-on-read posts during deletion
from 0
MEDIUM4.3CVE-2026-26246Mattermost fails to bound memory allocation when processing PSD image files
from 0
MEDIUM4.3CVE-2026-2457Mattermost allows attackers to spoof permalink embeds
from 0
MEDIUM4.3CVE-2026-25783Mattermost fails to properly validate User-Agent header tokens
from 0
MEDIUM4.3CVE-2026-25780Mattermost fails to bound memory allocation when processing DOC files
from 0
MEDIUM4.3CVE-2025-14350Mattermost fails to properly validate team membership when processing channel mentions
from 0
MEDIUM4.3CVE-2025-13767Mattermost doesn't validate user channel membership when attaching Mattermost posts as comments to Jira issues
from 0
MEDIUM4.3CVE-2025-13324Mattermost has an Invite Token Replay Vulnerability via Channel Membership Manipulation in github.com/mattermost/mattermost
from 0
MEDIUM4.3CVE-2025-12756Mattermost fails to validate user permissions when deleting comments in Boards in github.com/mattermost/mattermost
from 0
MEDIUM4.3CVE-2025-12559Mattermost fails to sanitize team email addresses in github.com/mattermost/mattermost-server
from 0
MEDIUM4.3CVE-2025-11776Mattermost fails to properly restrict access to archived channel search API in github.com/mattermost/mattermost
from 0, < 5.3.2-0.20250815165020-c8d66301415d
MEDIUM4.3CVE-2025-11776Mattermost fails to properly restrict access to archived channel search API in github.com/mattermost/mattermost
from 0
MEDIUM4.3CVE-2025-9078Mattermost makes Use of Weak Hash in github.com/mattermost/mattermost-server
from 0
MEDIUM4.3CVE-2025-6465Mattermost Fails to Sanitize File Names in github.com/mattermost/mattermost-server
from 0
MEDIUM4.3CVE-2025-47870Mattermost Does Not Sanitize the Team Invite ID in github.com/mattermost/mattermost-server
from 0, <= 5.39.3
MEDIUM4.3CVE-2025-47870Mattermost Does Not Sanitize the Team Invite ID in github.com/mattermost/mattermost-server
from 0
MEDIUM4.3CVE-2025-47871Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server
from 0
MEDIUM4.3CVE-2025-3228Mattermost allows an unauthorized Guest user access to Playbook in github.com/mattermost/mattermost-server
from 0
MEDIUM4.3CVE-2025-3227Mattermost allows unauthorized channel member management through playbook runs in github.com/mattermost/mattermost-server
from 0
MEDIUM4.3CVE-2025-2527Mattermost Fails to Verify User's Permissions When Accessing Groups in github.com/mattermost/mattermost-server
from 0
MEDIUM4.3CVE-2025-3446Mattermost Fails to Validate Team Invite Permissions in github.com/mattermost/mattermost-server
from 0
MEDIUM4.3CVE-2025-2564Mattermost Incorrect Authorization vulnerability
from 0
MEDIUM4.3CVE-2025-27571Mattermost Incorrect Authorization vulnerability
from 0
MEDIUM4.3CVE-2025-30179Mattermost Fails to Enforce Certain Search APIs in github.com/mattermost/mattermost-server
from 0
MEDIUM4.3CVE-2025-25274Mattermost Fails to Restrict Command Execution in Archived Channels in github.com/mattermost/mattermost-server
from 0
MEDIUM4.3CVE-2025-24920Mattermost Fails to Restrict Bookmark Creation and Updates in Archived Channels in github.com/mattermost/mattermost-server
from 0
MEDIUM4.3CVE-2025-1472Mattermost Fails to Properly Perform Viewer Role Authorization in github.com/mattermost/mattermost-server
from 0
MEDIUM4.3CVE-2025-24526Mattermost fails to restrict channel export of archived channels in github.com/mattermost/mattermost-server
from 0
MEDIUM4.3CVE-2025-20033Mattermost Improper Validation of Specified Type of Input vulnerability
from 0
MEDIUM4.3CVE-2024-47401Mattermost Server vulnerable to application crash from attacker-generated large response in github.com/mattermost/mattermost-server
from 0
MEDIUM4.3CVE-2024-10241Mattermost Server allows user to get private channel names in github.com/mattermost/mattermost-server
from 0
MEDIUM4.3CVE-2024-50052Mattermost server allows authenticated user to delete arbitrary post in github.com/mattermost/mattermost-server
from 0
MEDIUM4.3CVE-2024-43780Mattermost allows guest user with read access to upload files to a channel in github.com/mattermost/mattermost-server
from 0
MEDIUM4.3CVE-2024-32939Mattermost doesn't redact remote users' original email addresses in github.com/mattermost/mattermost-server
from 0
MEDIUM4.3CVE-2024-39839Mattermost allows a user on a remote to set their remote username prop to an arbitrary string in github.com/mattermost/mattermost-server
from 0
MEDIUM4.3CVE-2024-28949Mattermost Server doesn't limit the number of user preferences in github.com/mattermost/mattermost-server
from 0
MEDIUM4.3CVE-2024-1942Mattermost allows attackers access to posts in channels they are not a member of in github.com/mattermost/mattermost-server
from 0
MEDIUM4.3CVE-2024-1953Mattermost fails to limit the number of role names in github.com/mattermost/mattermost-server
from 0
MEDIUM4.3CVE-2024-1887Mattermost post fetching without auditing in compliance export
from 0
MEDIUM4.3CVE-2024-23493Mattermost leaks details of AD/LDAP groups of a teams
from 0
MEDIUM4.3CVE-2024-24988Mattermost denial of service through long emoji value in github.com/mattermost/mattermost-server
from 0
MEDIUM4.3CVE-2024-1888Mattermost fails to check the "invite_guest" permission in github.com/mattermost/mattermost-server
from 0
MEDIUM4.3CVE-2024-1402Mattermost vulnerable to denial of service via large number of emoji reactions in github.com/mattermost/mattermost-server
from 0
MEDIUM4.3CVE-2023-48732Mattermost notified all users in the channel when using WebSockets to respond individually
from 0
MEDIUM4.3CVE-2023-47858Mattermost viewing archived public channels permissions vulnerability
from 0
MEDIUM4.3CVE-2022-1332Improper Privilege Management in Mattermost in github.com/mattermost/mattermost-server
from 0, < 5.37.9
MEDIUM4.3CVE-2022-1332Improper Privilege Management in Mattermost in github.com/mattermost/mattermost-server
from 0, < 5.37.9
MEDIUM4.2CVE-2025-2571Mattermost fails to clear Google OAuth credentials in github.com/mattermost/mattermost-server
from 0
MEDIUM4.1CVE-2025-64641Mattermost doesn't verify that post actions invoking `/share-issue-publicly` were created by the Jira plugin
from 0
MEDIUM4.1CVE-2025-4573Mattermost allows authenticated administrator to execute LDAP search filter injection in github.com/mattermost/mattermost-server
from 0
MEDIUM4.1CVE-2024-41162Mattermost allows a remote actor to make an arbitrary local channel read-only in github.com/mattermost/mattermost-server
from 0
LOW3.8CVE-2025-14573Mattermost fails to enforce invite permissions when updating team settings
from 0
LOW3.8CVE-2025-53971Mattermost Fails to Properly Validate Team Role Modification in github.com/mattermost/mattermost-server
from 0, <= 5.39.3
LOW3.8CVE-2025-53971Mattermost Fails to Properly Validate Team Role Modification in github.com/mattermost/mattermost-server
from 0
LOW3.8CVE-2025-22449Mattermost Incorrect Authorization vulnerability
from 0
LOW3.8CVE-2024-39837Mattermost did not properly restrict channel creation in github.com/mattermost/mattermost-server
from 0
LOW3.8CVE-2024-39837Mattermost did not properly restrict channel creation in github.com/mattermost/mattermost-server
from 0, < 5.3.2-0.20240626164322-c758cecaf30c
LOW3.7CVE-2023-50333Mattermost allows demoted guests to change group names
from 0
LOW3.7CVE-2023-7113Mattermost Cross-site Scripting vulnerability in github.com/mattermost/mattermost-server
from 0
LOW3.5CVE-2025-49810Mattermost Lack of Access Control Validation in github.com/mattermost/mattermost-server
from 0
LOW3.5CVE-2025-47700Mattermost Server SSRF Vulnerability via the Agents Plugin in github.com/mattermost/mattermost-server
from 0
LOW3.5CVE-2025-22445Mattermost has Improper Check for Unusual or Exceptional Conditions
from 0
LOW3.5CVE-2024-10214Mattermost incorrectly issues two sessions when using desktop SSO
from 0
LOW3.3CVE-2025-27715Mattermost fail to prompt for explicit approval before adding a team admin to a private channel in github.com/mattermost/mattermost-server
from 0
LOW3.1CVE-2026-22545Mattermost fails to validate user's authentication method when processing account auth type switch
from 0
LOW3.1CVE-2025-62690Mattermost has missing redirect URL validation in github.com/mattermost/mattermost
from 0
LOW3.1CVE-2025-13870Mattermost fails to validate user permissions in Boards in github.com/mattermost/mattermost
from 0
LOW3.1CVE-2025-41436Mattermost allows regular users to access archived channel content and files in github.com/mattermost/mattermost-server
from 0
LOW3.1CVE-2025-11777Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost
from 0, < 5.3.2-0.20250905150616-ba86dfc5876b
LOW3.1CVE-2025-11777Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost
from 0
LOW3.1CVE-2025-10545Mattermost has an Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server
from 0
LOW3.1CVE-2025-54499Mattermost has an Observable Timing Discrepancy vulnerability in github.com/mattermost/mattermost-server
from 0
LOW3.1CVE-2025-9081Mattermost boards plugin fails to restrict download access to files in github.com/mattermost/mattermost-plugin-boards
from 0
LOW3.1CVE-2025-9084Mattermost Open Redirect vulnerability in github.com/mattermost/mattermost-server
from 0
LOW3.1CVE-2025-4128Mattermost allows guest users to view information about public teams they are not members of in github.com/mattermost/mattermost-server
from 0
LOW3.1CVE-2025-1792Mattermost fails to properly enforce access controls for guest users in github.com/mattermost/mattermost-server
from 0
LOW3.1CVE-2025-3611Mattermost fails to properly enforce access control restrictions for System Manager roles
from 0
LOW3.1CVE-2025-41423Mattermost Playbooks fails to properly validate permissions
from 0
LOW3.1CVE-2025-24839Mattermost Incorrect Authorization vulnerability
from 0
LOW3.1CVE-2025-2424Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server
from 0
LOW3.1CVE-2025-1412Mattermost fails to invalidate all active sessions when converting a user to a bot in github.com/mattermost/mattermost-server
from 0
LOW3.1CVE-2024-21848Mattermost Server Improper Access Control
from 0
LOW3.1CVE-2024-28053Mattermost Server Resource Exhaustion in github.com/mattermost/mattermost-server
from 0, < 0.0.0-20240209181221-674f549daf0e
LOW3.1CVE-2024-28053Mattermost Server Resource Exhaustion in github.com/mattermost/mattermost-server
from 0
LOW3.1CVE-2024-1952Mattermost incorrectly allows access individual posts
from 0
LOW3.1CVE-2024-23488Mattermost fails to properly restrict the access of files attached to posts in github.com/mattermost/mattermost-server
from 0
LOW3.1CVE-2024-24776Mattermost fails to check the required permissions
from 0
LOW3.0CVE-2025-13352Mattermost GitHub Plugin Bot Identity Validation Bypass Allows Arbitrary GitHub Reaction Injection in github.com/mattermost/mattermost
from 0
LOW3.0CVE-2025-55074Mattermost allows other users to determine when users had read channels via channel member objects in github.com/mattermost/mattermost-server
from 0
LOW3.0CVE-2025-31363Mattermost doesn't restrict domains LLM can request to contact upstream
from 0
LOW2.7CVE-2025-2570Mattermost Fails to Check User Access to `ExperimentalSettings` in github.com/mattermost/mattermost-server
from 0
LOW2.7CVE-2025-24866Mattermost Fails to Enforce Proper Access Controls on `/api/v4/audits` Endpoint
from 0
LOW2.7CVE-2024-40884Mattermost allows team admin user without "Add Team Members" permission to disable invite URL in github.com/mattermost/mattermost-server
from 0
LOW2.7CVE-2024-41926Mattermost allows remote actor to set arbitrary RemoteId values for synced users in github.com/mattermost/mattermost-server
from 0
LOW2.7CVE-2024-29977Mattermost failed to properly validate synced reactions in github.com/mattermost/mattermost-server
from 0
LOW2.6CVE-2024-1949Mattermost race condition in github.com/mattermost/mattermost-server
from 0
LOW2.2CVE-2025-6227Mattermost has Insufficiently Protected Credentials in github.com/mattermost/mattermost-server
from 0
LOW2.2CVE-2025-27538Mattermost Missing Authentication for Critical Function
from 0