cbcvebase.

Github.Com Mattermost Mattermost-Server vulnerabilities

250 known vulnerabilities affecting github.com/mattermost_mattermost-server.

Total CVEs
250
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL10HIGH24MEDIUM116LOW28UNKNOWN72

Vulnerabilities

Page 1 of 13
CVE-2025-12419P2CRITICAL≥ 10.12.0, < 10.12.2≥ 10.11.0, < 10.11.5+2 more2025-11-27
CVE-2025-12419 [CRITICAL] CWE-287 Mattermost fails to properly validate OAuth state tokens during OpenID Connect authentication Mattermost fails to properly validate OAuth state tokens during OpenID Connect authentication Mattermost versions 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12, 11.0.x <= 11.0.3 fail to properly validate OAuth state tokens during OpenID Connect authentication which allows an authenticated attacker with team creation privileges to take over a user account vi
ghsaosv
CVE-2025-12421P2CRITICAL≥ 11.0.0, < 11.0.3≥ 10.12.0, < 10.12.2+2 more2025-11-27
CVE-2025-12421 [CRITICAL] CWE-287 Mattermost fails to to verify the token used during code exchange Mattermost fails to to verify the token used during code exchange Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to to verify that the token used during the code exchange originates from the same authentication flow, which allows an authenticated user to perform account takeover via a specially crafted email address used when switching authent
ghsaosv
CVE-2025-4981P2CRITICAL≥ 0, < 0.0.0-20250519205859-65aec10162f62025-06-20
CVE-2025-4981 [CRITICAL] CWE-427 Mattermost allows authenticated users to write files to arbitrary locations Mattermost allows authenticated users to write files to arbitrary locations Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to sanitize filenames in the archive extractor which allows authenticated users to write files to arbitrary locations on the filesystem via uploading archives with path traversal sequences in filenam
ghsaosv
CVE-2025-25279P2UNKNOWN≥ 9.11.0-rc1+incompatible, < 9.11.8+incompatible≥ 10.2.0-rc1+incompatible, < 10.2.3+incompatible+2 more2025-03-03
CVE-2025-25279 Mattermost allows reading arbitrary files related to importing boards in github.com/mattermost/mattermost-server Mattermost allows reading arbitrary files related to importing boards in github.com/mattermost/mattermost-server Mattermost allows reading arbitrary files related to importing boards in github.com/mattermost/mattermost-server
osv
CVE-2026-4858P2HIGH≥ 11.6.0, < 11.6.1≥ 11.5.0, < 11.5.4+2 more2026-05-21
CVE-2026-4858 [HIGH] CWE-22 Mattermost has a Path Traversal issue Mattermost has a Path Traversal issue Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to check integration URL for path traversal which allows an malicious authenticated user to call an arbitrary API via system admin Mattermost auth token using via path traversal in integration action URL. Mattermost Advisory ID: MMSA-2026-00640.
ghsa
CVE-2024-39777P3UNKNOWN≥ 9.5.0+incompatible, < 9.5.7+incompatible≥ 9.7.0+incompatible, < 9.7.6+incompatible+2 more2024-08-30
CVE-2024-39777 Mattermost allows unsolicited invites to expose access to local channels in github.com/mattermost/mattermost-server Mattermost allows unsolicited invites to expose access to local channels in github.com/mattermost/mattermost-server Mattermost allows unsolicited invites to expose access to local channels in github.com/mattermost/mattermost-server
osv
CVE-2025-25274P3UNKNOWN≥ 9.11.0+incompatible, < 9.11.9+incompatible≥ 10.3.0+incompatible, < 10.3.4+incompatible+2 more2025-03-25
CVE-2025-25274 Mattermost Fails to Restrict Command Execution in Archived Channels in github.com/mattermost/mattermost-server Mattermost Fails to Restrict Command Execution in Archived Channels in github.com/mattermost/mattermost-server Mattermost Fails to Restrict Command Execution in Archived Channels in github.com/mattermost/mattermost-server
osv
CVE-2025-25068P3UNKNOWN≥ 9.11.0+incompatible, < 9.11.9+incompatible≥ 10.3.0+incompatible, < 10.3.4+incompatible+2 more2025-03-25
CVE-2025-25068 Mattermost Fails to Enforce MFA on Plugin Endpoints in github.com/mattermost/mattermost-server Mattermost Fails to Enforce MFA on Plugin Endpoints in github.com/mattermost/mattermost-server Mattermost Fails to Enforce MFA on Plugin Endpoints in github.com/mattermost/mattermost-server
osv
CVE-2017-18915P3CRITICAL≥ 0, < 3.6.7-0.20170420152529-0968e4079e0a≥ 3.7.0, < 3.7.5+1 more2022-05-24
CVE-2017-18915 [CRITICAL] CWE-20 Mattermost Server server restarts may provide attackers with API access Mattermost Server server restarts may provide attackers with API access An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. After a restart of a server, an attacker might suddenly gain API Endpoint access.
ghsaosv
CVE-2017-18888P3CRITICAL≥ 0, < 4.1.2≥ 4.2.0-rc1, < 4.2.1+1 more2022-05-24
CVE-2017-18888 [CRITICAL] CWE-89 Mattermost Server is vulnerable to SQL Injection when executing multiple POST requests Mattermost Server is vulnerable to SQL Injection when executing multiple POST requests An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows SQL injection during the fetching of multiple posts.
ghsaosv
CVE-2016-11074P3HIGH≥ 0, < 3.0.02022-05-24
CVE-2016-11074 [HIGH] CWE-287 Mattermost Server: Insufficient Password-Reset Link Invalidation Mattermost Server: Insufficient Password-Reset Link Invalidation An issue was discovered in Mattermost Server before 3.0.0. A password-reset link could be reused.
ghsaosv
CVE-2025-58073P3HIGH≥ 10.11.0, < 10.11.2≥ 10.10.0, < 10.10.3+1 more2025-10-16
CVE-2025-58073 [HIGH] CWE-862 Mattermost has a Missing Authorization vulnerability Mattermost has a Missing Authorization vulnerability Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulating the OAuth state.
ghsaosv
CVE-2025-58075P3HIGH≥ 10.11.0, < 10.11.2≥ 10.10.0, < 10.10.3+1 more2025-10-16
CVE-2025-58075 [HIGH] CWE-862 Mattermost has a Missing Authorization vulnerability Mattermost has a Missing Authorization vulnerability Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulating the RelayState.
ghsaosv
CVE-2026-6346P3HIGH≥ 0, < 5.3.2-0.20260326202606-fac92f4a71f32026-05-18
CVE-2026-6346 [HIGH] CWE-200 Mattermost doesn't sanitize sensitive configuration fields before including them in support packet generation Mattermost doesn't sanitize sensitive configuration fields before including them in support packet generation Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to sanitize sensitive configuration fields before including them in support packet generation, which allows a Mattermost System Admin or any party with access to a suppo
ghsa
CVE-2017-18908P3CRITICAL≥ 0, < 3.9.1-rc1≥ 3.10.0, < 3.10.12022-05-24
CVE-2017-18908 [CRITICAL] CWE-287 Mattermost Server password reset email requests can be sent to attacker-provided email addresses Mattermost Server password reset email requests can be sent to attacker-provided email addresses An issue was discovered in Mattermost Server before 4.0.0, 3.10.1, and 3.9.1. A password reset request was sometimes sent to an attacker-provided e-mail address.
ghsaosv
CVE-2025-9079P3HIGH≥ 10.8.0, < 10.8.4≥ 10.5.0, < 10.5.9+3 more2025-09-19
CVE-2025-9079 [HIGH] CWE-22 Mattermost Path Traversal vulnerability Mattermost Path Traversal vulnerability Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to validate import directory path configuration which allows admin users to execute arbitrary code via malicious plugin upload to prepackaged plugins directory
ghsaosv
CVE-2025-1412P3UNKNOWN≥ 9.11.0-rc1+incompatible, < 9.11.7+incompatible≥ 10.4.0-rc1+incompatible, < 10.4.2+incompatible2025-03-03
CVE-2025-1412 Mattermost fails to invalidate all active sessions when converting a user to a bot in github.com/mattermost/mattermost-server Mattermost fails to invalidate all active sessions when converting a user to a bot in github.com/mattermost/mattermost-server Mattermost fails to invalidate all active sessions when converting a user to a bot in github.com/mattermost/mattermost-server
osv
CVE-2017-18900P3CRITICAL≥ 0, < 3.10.3≥ 4.0.0, < 4.0.32022-05-24
CVE-2017-18900 [CRITICAL] CWE-1236 Mattermost Server is vulnerable CSV Injection Mattermost Server is vulnerable CSV Injection An issue was discovered in Mattermost Server before 4.0.4 and 3.10.3. It allows CSV injection via a compliance report.
ghsaosv
CVE-2017-18912P3HIGH≥ 0, < 3.7.4-0.20170404171331-0b5c0794fdcb2022-05-24
CVE-2017-18912 [HIGH] CWE-22 Mattermost Server allows an attacker to specify a full pathname of a log file Mattermost Server allows an attacker to specify a full pathname of a log file An issue was discovered in Mattermost Server before 3.7.5. It allows an attacker to specify a full pathname of a log file.
ghsaosv
CVE-2025-55070P3MEDIUM≥ 0, < 11.1.02025-11-14
CVE-2025-55070 [MEDIUM] CWE-306 Mattermost does not enforce MFA on WebSocket connections Mattermost does not enforce MFA on WebSocket connections Mattermost versions < 11 fail to enforce multi-factor authentication on WebSocket connections which allows unauthenticated users to access sensitive information via WebSocket events.
ghsaosv
1 / 13Next →
Github.Com Mattermost Mattermost-Server vulnerabilities | cvebase