CRITICAL9.9CVE-2025-12421Mattermost fails to to verify the token used during code exchange in github.com/mattermost/mattermost-server from 0
CRITICAL9.9CVE-2025-12419Mattermost fails to properly validate OAuth state tokens during OpenID Connect authentication in github.com/mattermost/mattermost-server from 0
CRITICAL9.9CVE-2025-4981Mattermost allows authenticated users to write files to arbitrary locations in github.com/mattermost/mattermost-server from 0
CRITICAL9.9Mattermost allows reading arbitrary files related to importing boards in github.com/mattermost/mattermost-server
from 0
CRITICAL9.9Mattermost allows reading arbitrary files in github.com/mattermost/mattermost-server
from 0
HIGH8.8Mattermost Incorrect Authorization vulnerability
from 0, < 7.1.8
HIGH8.8Insecure plugin handling in Mattermost in github.com/mattermost/mattermost-server
>= 6.4.0, < 6.5.0
HIGH8.8Insecure plugin handling in Mattermost in github.com/mattermost/mattermost-server
>= 6.4.0, < 6.5.0
HIGH8.7Mattermost allows unsolicited invites to expose access to local channels in github.com/mattermost/mattermost-server
from 0
HIGH8.7Mattermost failed to properly validate that the channel that comes from the sync message is a shared channel in github.com/mattermost/mattermost-server
from 0
HIGH8.1Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server
from 0
HIGH8.1Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server
from 0
HIGH8.0Mattermost Path Traversal vulnerability in github.com/mattermost/mattermost-server
from 0
HIGH7.6Mattermost Open Redirect vulnerability in github.com/mattermost/mattermost-server
from 0
HIGH7.5Mattermost fails to properly handle very long passwords in github.com/mattermost/mattermost-server
from 0
HIGH7.5Mattermost Fails to Enforce MFA on Plugin Endpoints in github.com/mattermost/mattermost-server
from 0
HIGH7.4Mattermost failed to disallow the modification of local users when syncing users in shared channels in github.com/mattermost/mattermost-server
from 0
HIGH7.2Mattermost with Jira plugin enabled has Incorrect Implementation of Authentication Algorithm in github.com/mattermost/mattermost-plugin-jira
from 0
HIGH7.1Mattermost Injection vulnerability
from 0, < 7.8.14
MEDIUM6.8Mattermost Fails to Sanitize Path Traversal Sequences in github.com/mattermost/mattermost-server
from 0, <= 6.7.2
MEDIUM6.8Mattermost Fails to Sanitize Path Traversal Sequences in github.com/mattermost/mattermost-server
from 0
MEDIUM6.8Mattermost Fails to Validate File Paths in github.com/mattermost/mattermost-server
from 0, <= 6.7.2
MEDIUM6.8Mattermost Fails to Validate Remote Cluster Upload Sessions in github.com/mattermost/mattermost-server
from 0, <= 5.7.2
MEDIUM6.8Mattermost Fails to Validate File Paths in github.com/mattermost/mattermost-server
from 0
MEDIUM6.8Mattermost Fails to Validate Remote Cluster Upload Sessions in github.com/mattermost/mattermost-server
from 0
MEDIUM6.8Mattermost Path Traversal vulnerability in github.com/mattermost/mattermost-server
from 0
MEDIUM6.8Mattermost allows a remote actor to permanently delete local data by abusing dangerous error handling in github.com/mattermost/mattermost-server
from 0
MEDIUM6.7Mattermost does not validate requesting user permissions before updating admin details
from 0, < 7.8.8
MEDIUM6.5Mattermost does not enforce MFA on WebSocket connections in github.com/mattermost/mattermost-server
from 0
MEDIUM6.5Mattermost Missing Authorization vulnerability in github.com/mattermost/mattermost-server
from 0
MEDIUM6.5Mattermost Missing Authentication for Critical Function in github.com/mattermost/mattermost-server
from 0
MEDIUM6.5Mattermost Playbooks fails to validate the uniqueness and quantity of task actions in github.com/mattermost/mattermost-plugin-playbooks
from 0
MEDIUM6.5Mattermost Playbooks fails to properly validate the props used by the RetrospectivePost custom post type in github.com/mattermost/mattermost-plugin-playbooks
from 0
MEDIUM6.5Mattermost webapp crash via a crafted post in github.com/mattermost/mattermost-server
from 0
MEDIUM6.5Mattermost fails to properly validate post props in github.com/mattermost/mattermost-server
from 0
MEDIUM6.5Mattermost fails to properly validate post props in github.com/mattermost/mattermost-server
from 0
MEDIUM6.5Mattermost Incorrect Type Conversion or Cast in github.com/mattermost/mattermost-server
from 0
MEDIUM6.5Mattermost Improper Validation of Specified Type of Input vulnerability in github.com/mattermost/mattermost-server
from 0
MEDIUM6.5Mattermost Data Amplification vulnerability in github.com/mattermost/mattermost-server
from 0
MEDIUM6.5Mattermost fails to authenticate the source of certain types of post actions in github.com/mattermost/mattermost-server
from 0
MEDIUM6.5Mattermost Uncontrolled Resource Consumption vulnerability
from 0, < 7.8.10
MEDIUM6.5Mattermost Incorrect Authorization vulnerability
from 0, < 7.8.10
MEDIUM6.5Mattermost vulnerable to information disclosure
>= 6.0.0, < 7.1.6
MEDIUM6.5Mattermost subject to Denial of Service via upload of special GIF
>= 7.1.0, < 7.2.0
MEDIUM6.5Mattermost users could access some sensitive information via API call in github.com/mattermost/mattermost-server
from 0, < 6.3.9, >= 6.4.0, < 6.5.2, >= 6.6.0, < 6.6.2, >= 6.7.0, < 6.7.1
MEDIUM6.5Mattermost users could access some sensitive information via API call in github.com/mattermost/mattermost-server
from 0, < 6.3.9
MEDIUM6.5Resource exhaustion in Mattermost in github.com/mattermost/mattermost-server
from 0, < 6.4.2
MEDIUM6.5Resource exhaustion in Mattermost in github.com/mattermost/mattermost-server
from 0, < 6.4.2
MEDIUM6.3Mattermost fails to check if user is a guest before performing actions on public playbooks
>= 7.9.0, < 7.9.6
MEDIUM6.0Mattermost allows user with systems manager role with read-only access to teams to perform write operations on teams in github.com/mattermost/mattermost-server
from 0
MEDIUM5.8Mattermost Fails to Lockout LDAP Users After Repeated Login Failures in github.com/mattermost/mattermost-server
from 0
MEDIUM5.7Mattermost fails to sanitize sensitive data in WebSocket messages in github.com/mattermost/mattermost-server
from 0
MEDIUM5.5Mattermost allows remote actor to create/update/delete posts in arbitrary channels in github.com/mattermost/mattermost-server
from 0
MEDIUM5.4Mattermost fails to properly validate login method restrictions in github.com/mattermost/mattermost-server
from 0
MEDIUM5.4Mattermost allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL in github.com/mattermost/mattermost-server
from 0
MEDIUM5.4Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server
from 0
MEDIUM5.4Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server
from 0
MEDIUM5.4Mattermost fails to properly invalidate personal access tokens upon user deactivation in github.com/mattermost/mattermost-server
from 0
MEDIUM5.4Mattermost vulnerable to Incorrect Implementation of Authentication Algorithm in github.com/mattermost/mattermost-server
from 0
MEDIUM5.4Mattermost allows members with permission to convert public channels to private and convert private to public in github.com/mattermost/mattermost-server
from 0
MEDIUM5.4Mattermost fails to strip `embeds` from `metadata` when broadcasting `posted` events in github.com/mattermost/mattermost-server
from 0
MEDIUM5.4Mattermost vulnerable to cross-site scripting (XSS)
>= 6.0.0, < 7.1.6
MEDIUM5.4Mattermost fails to properly authentication inviter's permissions to private channel
>= 6.0.0, < 7.1.6
MEDIUM5.3Mattermost fails to limit the size of responses from integration action endpoints in github.com/mattermost/mattermost-server
from 0
MEDIUM5.3Mattermost improperly allows team administrators to modify team invites in github.com/mattermost/mattermost-server
from 0
MEDIUM5.3Mattermost vulnerable to Observable Timing Discrepancy in github.com/mattermost/mattermost-plugin-msteams
from 0
MEDIUM5.3Mattermost Exposure of Sensitive Information to an Unauthorized Actor vulnerability
from 0, < 7.8.14
MEDIUM5.3Mattermost Uncontrolled Resource Consumption vulnerability
from 0, < 7.8.13
MEDIUM5.3Mattermost vulnerable to excessive memory consumption
from 0, < 7.8.12
MEDIUM5.3Mattermost vulnerable to information disclosure
>= 6.3.0, < 7.1.6
MEDIUM4.9Mattermost allows system administrators to access password hashes and MFA secrets in github.com/mattermost/mattermost-server
from 0
MEDIUM4.9Mattermost has Potential Server Crash due to Unvalidated Import Data in github.com/mattermost/mattermost-server
from 0, <= 6.7.2
MEDIUM4.9Mattermost has Potential Server Crash due to Unvalidated Import Data in github.com/mattermost/mattermost-server
from 0
MEDIUM4.9Mattermost password hash disclosure vulnerability
>= 5.4.0-rc1, < 7.8.12
MEDIUM4.8Mattermost Race Condition vulnerability in github.com/mattermost/mattermost-server
from 0
MEDIUM4.8Mattermost allows remote/synthetic users to create sessions, reset passwords in github.com/mattermost/mattermost-server
from 0
MEDIUM4.7Mattermost Fails to Restrict Certain Operations on System Admins in github.com/mattermost/mattermost-server
from 0
MEDIUM4.7Mattermost doesn't restrict which roles can promote a user as system admin in github.com/mattermost/mattermost-server
from 0
MEDIUM4.7Mattermost Server Improper Access Control in github.com/mattermost/mattermost-server
from 0
MEDIUM4.6Mattermost Server Path Traversal vulnerability that leads to Cross-Site Request Forgery in github.com/mattermost/mattermost-server
from 0
MEDIUM4.6Mattermost Cross-Site Request Forgery vulnerability in github.com/mattermost/mattermost-server
from 0
MEDIUM4.6Improper Control of a Resource Through its Lifetime in Mattermost in github.com/mattermost/mattermost-server
from 0, < 6.5.0
MEDIUM4.6Improper Control of a Resource Through its Lifetime in Mattermost in github.com/mattermost/mattermost-server
from 0, < 6.5.0
MEDIUM4.5Mattermost fails to sanitize post metadata
from 0, < 7.8.8
MEDIUM4.3Mattermost fails to canonicalize IPv4-mapped IPv6 addresses before reserved IP validation in github.com/mattermost/mattermost-server
from 0
MEDIUM4.3Mattermost fails to properly enforce read permissions in search API endpoints in github.com/mattermost/mattermost-server
from 0
MEDIUM4.3Mattermost fails to use consistent error responses when handling the /mute command in github.com/mattermost/mattermost-server
from 0
MEDIUM4.3Mattermost fails to validate team-specific upload_file permissions in github.com/mattermost/mattermost-server
from 0
MEDIUM4.3Mattermost fails to filter invite IDs based on user permissions in github.com/mattermost/mattermost-server
from 0
MEDIUM4.3Mattermost fails to preserve the redacted state of burn-on-read posts during deletion in github.com/mattermost/mattermost-server
from 0
MEDIUM4.3Mattermost allows a removed team member to enumerate all public channels within a private team in github.com/mattermost/mattermost-server
from 0
MEDIUM4.3Mattermost fails to bound memory allocation when processing DOC files in github.com/mattermost/mattermost-server
from 0
MEDIUM4.3Mattermost fails to properly validate User-Agent header tokens in github.com/mattermost/mattermost-server
from 0
MEDIUM4.3Mattermost fails to bound memory allocation when processing PSD image files in github.com/mattermost/mattermost-server
from 0
MEDIUM4.3Mattermost allows attackers to spoof permalink embeds in github.com/mattermost/mattermost-server
from 0
MEDIUM4.3Mattermost fails to properly validate team membership when processing channel mentions in github.com/mattermost/mattermost-server
from 0
MEDIUM4.3Mattermost doesn't validate user channel membership when attaching Mattermost posts as comments to Jira issues in github.com/mattermost/mattermost-server
from 0
MEDIUM4.3Mattermost has an Invite Token Replay Vulnerability via Channel Membership Manipulation in github.com/mattermost/mattermost
from 0
MEDIUM4.3Mattermost fails to validate user permissions when deleting comments in Boards in github.com/mattermost/mattermost
from 0
MEDIUM4.3Mattermost fails to sanitize team email addresses in github.com/mattermost/mattermost-server
from 0