cbcvebase.

Github.Com Mattermost Mattermost-Plugin-Github vulnerabilities

4 known vulnerabilities affecting github.com/mattermost_mattermost-plugin-github.

Total CVEs
4
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH1MEDIUM2LOW1

Vulnerabilities

Page 1 of 1
CVE-2026-5308P3HIGH≥ 0, < 1.0.1-0.20260410143745-9b41b1fd43c42026-05-26
CVE-2026-5308 [HIGH] CWE-400 Mattermost doesn't enforce request body size limits on plugin HTTP endpoints Mattermost doesn't enforce request body size limits on plugin HTTP endpoints Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to enforce request body size limits on plugin HTTP endpoints which allows an attacker to cause a denial of service via crafted oversized HTTP requests.. Mattermost Advisory ID: MMSA-2026-00646
ghsa
CVE-2026-28735P4MEDIUM≥ 0, < 1.0.1-0.20260318132218-6e6b740c48522026-05-26
CVE-2026-28735 [MEDIUM] CWE-863 Mattermost allows authenticated users to gain access to private repositories Mattermost allows authenticated users to gain access to private repositories Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate the OAuth token scope on the callback which allows an authenticated Mattermost user to gain access to private repositories via modifying the scope parameter in the GitHub authorization URL. Mattermost A
ghsa
CVE-2026-4646P4MEDIUM≥ 0, < 1.0.1-0.20260330164815-c2840e980b3c2026-05-26
CVE-2026-4646 [MEDIUM] CWE-1287 Mattermost doesn't validate user-supplied input in API request handlers Mattermost doesn't validate user-supplied input in API request handlers Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate user-supplied input in API request handlers which allows an authenticated attacker to crash the plugin process via a crafted HTTP request to the PR details endpoint. Mattermost Advisory ID: MMSA-2026-00638
ghsa
CVE-2025-13352P4LOW≥ 0, < 1.0.1-0.20250829075715-0deffcfc6bee2025-12-17
CVE-2025-13352 [LOW] CWE-1287 Mattermost GitHub Plugin Bot Identity Validation Bypass Allows Arbitrary GitHub Reaction Injection Mattermost GitHub Plugin Bot Identity Validation Bypass Allows Arbitrary GitHub Reaction Injection Mattermost versions 10.11.x <= 10.11.6 and Mattermost GitHub plugin versions <=2.4.0 fail to validate plugin bot identity in reaction forwarding which allows attackers to hijack the GitHub reaction feature to make users add reactions to arbitrary GitHub objects via craft
ghsaosv
Github.Com Mattermost Mattermost-Plugin-Github vulnerabilities | cvebase